One of the most popular messaging platforms utilized globally is WhatsApp. The Meta-owned platform has millions of users worldwide, including India, making it a key target in the online world. Hackers often target WhatsApp users to obtain personal information, whether through scams or cyberattacks.

To steal data from targeted individuals in South Asia, especially India, hackers are using a fake Android chat app called “SafeChat.” The malicious payload is delivered straight over WhatsApp chat.

The spyware has been suspected to be a variant of “Coverlm,” which targets messaging apps like Facebook Messenger, Telegram, Signal, WhatsApp, and Viber. Researchers from CYFIRMA claim that the ‘Bahamut’ APT hacking group from India is responsible for this malware attack. Their latest attacks mainly utilize spear-phishing messages on WhatsApp, which distribute malicious payloads to the victims directly. Bahamut allegedly targets users in South Asia and the regions surrounding India.

Bahamut’s methods are similar to those used by ‘DoNot APT’ (APT-C-35), another Indian state-sponsored threat group, according to CYFIRMA’s analysts. Google Play was previously infected by the DoNot APT with fake chat apps that act as spyware.

Safe chat is stealing data

Although CYFIRMA hasn’t made the social engineering aspect of the cyberattack explicit, it is clear that the victims were persuaded to install chat apps because they thought it would provide a safer communication platform. Before the victim realizes that the app is a fake, the malware deftly exploits careless Android Libraries to extract and transmit data to a command-and-control server, according to the report. “The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information,” the report states.

  • The hackers initially persuade the victim to install the Safe Chat app, which appears to be a legitimate chat app.
  • After installation, the app requests permission to use accessibility services. These rights allow the app to request more permissions from the user automatically, including access to the victim’s contacts list, SMS, call records, external device storage, and GPS location data.
  • The user is then asked to approve the exclusion from Android’s battery optimization subsystem by the Sharechat app. The app gets permission to run in the background even when the user isn’t actively using it due to this.
  • When other chat apps are already installed on the device, the app starts interacting with them. This makes it possible for the app to steal data from such apps, including chat messages and media assets.
  • The stolen data is subsequently encrypted and sent to the C2 server of the attacker. Certificates and encryption ensure anonymity and prevent detection.

The APT group is believed to be active within Indian territory based on the nature of this attack and previous incidents involving APT Bahamut, according to CYFIRMA.

How to stay safe

Here are a few tips for keeping your Android smartphone secure and for defending against malware like SafeChat.

  • Install apps from Trusted Sources: Only download apps from official app stores, such as the Google Play Store. Do not sideload programs from unknown sources as they can be infected with malware.
  • Check the App Permissions: Apps that ask for superfluous permissions should be avoided. Consider not installing an app if it requests access to sensitive data or features that don’t seem to be relevant to its functionality.
  • Keep Your Device Updated: Be sure to regularly update the most current safety patches and software on your Android device. Updates are released by manufacturers to patch vulnerabilities and strengthen the device’s security.
  • Use security apps: To regularly scan your device for malware and other risks, use a reputable antivirus or security app from a recognized vendor.


Please enter your comment!
Please enter your name here