New SandStrike spyware infects Android devices via malicious VPN app

Threat actors are using newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Android users.

They focus on Persian-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East.

The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions.

To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN.

"To lure victims into downloading spyware implants, the SandStrike adversaries set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed materials, setting up an effective trap for adherents of this belief," Kaspersky said.

"Most of these social media accounts contain a link to a Telegram channel also created by the attacker."

While the app is fully functional and even uses its own VPN infrastructure, the VPN client also installs the SandStrike spyware, which scours their devices for sensitive data and exfiltrates it to its operators' servers.

This malware will steal various types of information like call logs and contact lists and will also monitor compromised Android devices to help its creators keep track of the victims' activity.

Middle East malicious activity recap

Security researchers who spotted the malware in the wild are yet to pin its development on a specific threat group.

On Tuesday, Kaspersky also published its APT trends report for Q3 2022, highlighting more interesting discoveries linked to malicious activity in the Middle East.

The company highlights a new IIS backdoor known as FramedGolf deployed in attacks targeting Exchange servers not patched against ProxyLogon-type security flaws.

"The malware has been used to compromise at least a dozen organizations, starting in April 2021 at the latest, with most still compromised in late June 2022," Kaspersky revealed.

In September, the company also shared analysis on a newly found malware platform dubbed Metatron used against telecom companies, internet service providers, and universities across Africa and the Middle East.

Kaspersky says Metatron "is a modular implant boot-strapped through a Microsoft Console Debugger script" that comes with "multiple transport modes and offers forwarding and port knocking features."