Tuesday, May 13, 2025
HomeAndroidNew Android Malware Via WhatsApp steals Call logs, Locations, & Contacts

New Android Malware Via WhatsApp steals Call logs, Locations, & Contacts

Published on

SIEM as a Service

Follow Us on Google News

According to reports, a new Android malware is circulating under the guise of a fake chat application that is being distributed through WhatsApp.

This malware is discovered to belong to the APT Bahamut and has some footprints of tactics used by the DoNot APT.

This malicious Android application is initially termed “Coverlm” which is installed under the name “SafeChat” on Android devices.

- Advertisement - Google News

This application’s user interface seems to be deceiving and would convince any Android user that it is a legitimate chat application. 

However, once installed, the malware exploits unsuspected Android libraries for extracting and transmitting the data to a C&C (Command and Control) server.

This android malware seems to be targeting individuals in the South Asian region.

Android Malware Via WhatsApp

As previously stated, the app appears as a chat app and requests permission upon opening.

It asks for the “ignore battery optimization” permission which lets the application run on the backend and communicate with the C&C smoothly.

Ignore Battery Optimisation (Source: CYFIRMA)

Upon providing the permission, the signup page appears. Proceeding further, the application asks for another permission under the question, “This permission is required to function properly,” which, when “allowed,” takes the victim to the Accessibility settings.

Unknown permission asked by the application (Source: CYFIRMA)

This permission pops up again and again until the permission is enabled. Once the user allows this permission, the application takes the user to the dashboard, which looks like a legitimate chat application.

Android Malware Behaviour

Reviewing the code in the Android Manifest file of this application showed that the threat actor declared many permissions to perform malicious behaviors with this application.

Some of the dangerous permissions include,

PermissionsDescriptions
ACESS_FINE_LOCATIONAllows the threat actor to fetch precise locations and track the live movement of mobile phones.
READ_CONTACTSThis permission allows TA to read and fetch contacts.
READ_EXTERNAL_STORAGEThis permission allows the threat actor to access the file storage of the mobile.
READ_SMSThis allows the threat actor to read all the SMSs of the device.
READ_CALL_LOGThis permission allows the threat actor to read call logs.
READ_CONTACTSThis permission allows the threat actor to read all the saved contacts in the device.

Furthermore, the application used port 2053 for communicating with the C&C server.

Modules of the application represented the use of the Ktor framework developed with Kotlin which was used for communicating with command and control servers.

Previously, DoNot APT deployed the retrofit library for communication. 

The application is capable of collecting information like IMEI, device ID, SIM details, and location. 

One Nation State Interest

Analyzing further, this attack by APT Bahamut and their previous attack indicated that they have been part of one nation-state government’s interest.

In addition, it is suspected that these threat actors are based out of India as most of their targets pose an external threat to India.

Nevertheless, the facts are yet to be confirmed about their whereabouts. A complete report about the malware’s operation was published by Cyfirma which shows the source code, operation, and other detailed information about this malware and the APT group.

Indicators of Compromise

IndicatorTypeRemarks
8A35D0B20B6F057FE42E606A124CB84D78FA95900A16B056269F1CC613853989Hash: SHA256Safe_Chat.apk
https://laborer-posted[.]nl:2053Domain and portCommand and control

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...