SandStrike – Previously Unknown Android Malware Attacks Android Users Via VPN App

Android users are being targeted by threat actors using spyware known as SandStrike, which is delivered via malware-infected VPN applications. In short, threat actors have been circulating extremely stealthy and sophisticated spyware inside a VPN application.

Cybersecurity researchers at Kaspersky lab reported that an espionage campaign was carried out by threat actors using SandStrike in which they targeted the Persian-speaking minority religion, “Baháʼí,” this religion is mainly developed in some parts of the Middle East and Iran.

This malicious VPN app is being marketed by attackers as a simple method of evading censorship of religious materials in some particular parts of the world.

Distribution Channels for Malware

For distribution channels, threat actors actively target social media platforms with fake accounts on Facebook and Instagram with 1000 followers. With these fake social media accounts, threat actors redirect victims to a Telegram channel operated by them.

On the Telegram channel operated by the threat actors, several malicious links are provided to download and install the malicious VPN app. Though the app is malicious, but, it uses its own VPN infrastructure, which implies that the malicious VPN is completely practical and operational.

The fake accounts that are used by the threat actors are designed with religious-themed materials to target the followers of the Baháʼí religion.

With the installation of the VPN, the SandStrike also gets deployed on the targeted devices which has the ability to steal a wide range of sensitive data from the victims’ devices.

The data includes:-

  • Call logs
  • Contact lists
  • Spy on victims’ activities

APT Trends

There was a considerable amount of change in the tactics, toolsets, and techniques utilized by APT actors during the third quarter of 2022.

Among the new trends, we have mentioned a few of them:-

  • New advanced malware platform targeting telco companies, internet service providers, and universities
  • Upgrades to advanced and sophisticated tools are being made
  • APT campaigns continue to be focused on cyber-espionage as one of their main objectives

In early September, the telco industries, education sectors, and ISPs in Africa and the Middle East were plagued with a novel malware platform named Metatron.

Recommendation

Security analysts have come up with the following recommendations as a way to prevent being attacked by threat actors:-

  • Improve your cybersecurity team’s skills by upskilling them.
  • Access to the latest threat intelligence is one of the most critical things you can do for your SOC team.
  • EDR solutions that are enterprise-grade are recommended.
  • Endpoint protection is an essential part of your IT strategy.
  • Training on security awareness should be introduced.

Managed DDoS Attack Protection for Applications – Download Free Guide

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…

4 hours ago

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

2 days ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

2 days ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

2 days ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

2 days ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

2 days ago