A previously undocumented Android spyware campaign has been found striking Persian-speaking individuals by masquerading as a seemingly harmless VPN application.
Russian cybersecurity firm Kaspersky is tracking the campaign under the moniker SandStrike. It has not been attributed to any particular threat group.
“SandStrike is distributed as a means to access resources about the Bahá’í religion that are banned in Iran,” the company noted in its APT trends report for the third quarter of 2022.
While the app is ostensibly designed to provide victims with a VPN connection to bypass the ban, it’s also configured to covertly siphon data from the victims’ devices, such as call logs, contacts, and even connect to a remote server to fetch additional commands.
The booby-trapped VPN service, while fully functional, is said to be distributed via a Telegram channel controlled by the adversary.
Links to the channel are also advertised on fabricated social media accounts set up on Facebook and Instagram for the purpose of luring potential victims into downloading the app.
According to an Amnesty International report published in August 2022, Iran’s Ministry of Intelligence has arrested at least 30 members of the community in various parts of the country since July 31, 2022.
The religious minority has been persecuted by Iranian authorities, accusing it of being spies with links to Israel, leading to “raids, arbitrary arrests, home demolitions and land grabs.”
“APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns,” Kaspersky security researcher Victor Chebyshev said.
“In their attacks, they use cunning and unexpected methods. Today it is easy to distribute malware via social networks and remain undetected for several months or even more.”