Recent phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on the Google Play Store, along with a custom tool that filters victims for better targeting. SideWinder is an Advanced Persistent Threat (APT) group that has been active since at least 2012 and is believed to be an actor of Indian origin with a relatively high level of sophistication. Additional information about SideWinder can be found here: https://www.binarydefense.com/threat_watch/over-1000-cyber-attacks-were-launched-by-sidewinder-hackers-in-the-past-two-years/.
Researchers at cybersecurity company Group-IB detected a recent phishing campaign luring victims with a document proposing “a formal discussion of the impact of US withdrawal from Afghanistan on maritime security.” In a report shared with reporters, Group-IB says that SideWinder has also been observed in the past cloning government websites (e.g., the government portal in Sri Lanka) to steal user credentials.
The recent phishing campaign also used this method against targets, as the actor set up multiple websites that mimicked legitimate domains of the Pakistani government. During the investigation, the researchers discovered a phishing link that redirected to the legitimate domain “securevpn.com.” Its purpose remains unclear, but it could be to select targets of interest and redirect them to a malicious site. Another link discovered by Group-IB downloaded a fake version of the ‘Secure VPN’ app from Google Play, the official Android app store, which is still present on Google Play at the time of writing. The researchers note that the description for SideWinder’s fake Secure VPN app has been copied from the legitimate NordVPN app. At runtime, the fake Secure VPN app makes requests to two domains likely owned by the attacker, but these were unavailable during the investigation and a request to the root directory redirected to the legitimate NordVPN domain.
SideWinder has used fake apps on Google Play in the past, as shown by previous research from Trend Micro. The attacker’s apps are capable of collecting information from the targeted hosts. Such details include location, battery status, files on the device, installed app list, device information, sensor information, camera information, screenshot, account details, Wi-Fi information, and data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. Collected information will then be sent back to the attacker’s Command and Control (C2) server.
All users should be wary of apps that offer free services. Device owners should research legitimate service providers and follow the links provided on their website to obtain the official app. All users are recommended to stay away from apps that are untested and unverified.