How SafeChat Became a Gateway for Data Theft

In a recent cyber attack, Android users were the target of a devious tactic used by hackers who took advantage of a phoney app called “SafeChat,” obtaining private information from well-known messaging services like Signal and WhatsApp. The ‘Bahamut’ APT hacking gang from India is the outfit behind this espionage. In order to compromise the target’s smartphone, they use spear phishing messages that are sent through WhatsApp and include malicious payloads.

Techniques of Bahamut and Similarities to DoNot APT

The hackers behind Bahamut have exhibited striking parallels to another Indian state-sponsored threat group, “DoNot APT,” according to specialists at CYFIRMA. Notably, both groups have previously carried out assaults on Google Play using phoney chat apps as spyware. Particularly Bahamut has a track record of installing phoney VPN software with spyware features on Android phones and tablets. These results raise questions about a potential alliance between the two hacker groups.

The ‘SafeChat’ Deceptive Front

With its phoney user registration process and false UI that imitates actual chat apps, “SafeChat” seduces naïve users. After being installed, the spyware requests authorization to use Accessibility Services in order to access crucial data. This gives the program access to contacts, SMS, call logs, storage on the device, and GPS location information. Additionally, the program smartly asks exclusion from Android’s battery optimization subsystem to guarantee ongoing background access.

Safechat Spyware Strikes South Asia
Safechat Spyware Strikes South Asia

Encryption and Prevention Techniques

Cybercriminals use advanced encryption methods to protect their anonymity and prevent monitoring. Due to the use of RSA, ECB, and OAEPPadding encryption, it is quite difficult for security specialists to decipher the stolen data. The usage of a “letsencrypt” certificate also makes it more difficult to follow the hacker’s movements.

Focusing on South Asia

Bahamut recently organized a campaign that was aimed at people in South Asia. Because of its continuously expanding user population, which provides hackers with valuable targets, this area has become a center for cyberattacks. The consumers’ confidence in well-known communication apps is taken advantage of by the attackers, who profit from their propensity to download and utilize platforms that appear to be secure.

A State Government’s Links

Bahamut is connected to a particular state government in India, according to the information acquired by CYFIRMA. The possibility that state-sponsored organizations could get involved in cyber espionage is seriously raised by this relationship. Such acts not only endanger the security and privacy of people but also cause concern over global cybersecurity.

In conclusion, the Android spyware campaign run by the Indian APT hacking group Bahamut through the phoney software ‘SafeChat’ is a sobering reminder of the constantly changing threat landscape. They are able to take advantage of consumers’ confidence and trick them with an app that appears to be authentic, which emphasizes the need for stronger cybersecurity safeguards.

People must be on the lookout for danger and use caution while installing programs from unreliable sources. In order to strengthen cybersecurity defenses and shield users from these persistent cyber threats, governments and technology businesses must work together.


TechBeams Team of seasoned technology writers with several years of experience in the field. The team has a passion for exploring the latest trends and developments in the tech industry and sharing their insights with readers. With a background in Information Technology. TechBeams Team brings a unique perspective to their writing and is always looking for ways to make complex concepts accessible to a broad audience.

Leave a Reply

Back to top button