A previously undocumented Android spyware campaign has been found striking Persian-speaking individuals by masquerading as a seemingly harmless VPN application.
Russian cybersecurity firm Kaspersky is tracking the campaign under the moniker SandStrike. It has not been attributed to any particular threat group.
While the app is ostensibly designed to provide victims with a VPN connection to bypass the ban, it’s also configured to covertly siphon data from the victims’ devices, such as call logs, contacts, and even connect to a remote server to fetch additional commands.
The booby-trapped VPN service, while fully functional, is said to be distributed via a Telegram channel controlled by the adversary.
Links to the channel are also advertised on fabricated social media accounts set up on Facebook and Instagram for the purpose of luring potential victims into downloading the app.
According to an Amnesty International report published in August 2022, Iran’s Ministry of Intelligence has arrested at least 30 members of the community in various parts of the country since July 31, 2022.
“APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns,” Kaspersky security researcher Victor Chebyshev said.
“In their attacks, they use cunning and unexpected methods. Today it is easy to distribute malware via social networks and remain undetected for several months or even more.”