View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 3, 2022

SandStrike fake VPN is latest in wave of new Android malware

Banned religious materials on social media have been used to tempt victims into downloading VPNs laced with spyware.

By Claudia Glover

Android malware hidden in a fake VPN is being used to plant fully functioning spyware onto phones in Iran, allowing perpetrators access to call logs and contact lists. The victims are primarily of the Baháʼí faith and are lured into downloading the bugged VPN with promises of graphics surrounding their religion. This is just one of the numerous malwares currently targeting Android phones. 

SandStrike Android malware
Terraces of the Baháʼí Faith or the Hanging Gardens of Haifa in Israel. (Photo by Antoine DESAGE/Shutterstock)

Security company Kaspersky has discovered a malware designed to infect Android phones hidden in a VPN application. Victims are lured into downloading the VPN with the promise of access to attractive Baháʼí-themed pages on social media sites like Instagram and Facebook. Currently, the victims of this scam are those engaging in the faith.

Once downloaded, the VPN client contains “fully functioning spyware” with capabilities allowing criminals to collect and steal sensitive data, including call logs and contact lists. Perpetrators will also have access to anything carried out on the phone, from calls to messages, from the point of the malware download.

The social media sites used will usually guide victims towards a Telegram channel that allegedly holds content that is restricted in Iran. The VPN application is offered as a solution to this, but once it is downloaded the spyware is installed.

SandStrike and wave of Android malware

SandStrike is not the only malware discovered targeting Android phones this week. A group of four apps advertised on the Google Play Store have been infected by a virus called HiddenApps. Together these apps have been downloaded more than one million times, according to new research from security company Malwarebytes.

Published by the developer Mobile apps Group, the infected apps are called ‘Bluetooth Auto Connect’, ‘Driver: Bluetooth, Wi-Fi, USB’, ‘Bluetooth App Sender’ and ‘Mobile Transfer: smart switch’. 

According to the report, HiddenApps will lay low for two days after the initial download. Once forgotten about it will open malicious phishing sites on the Chrome browser. “The content of the phishing sites varies,” states the report. Some are merely “pay-per-click” sites that don’t inflict much damage, and some are full-blown phishing sites that have the potential to access credentials and banking information.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

Last month, encrypted messaging platform WhatsApp incurred an issue with Android malware. Hackers were using a copycat app called YoWhatsApp to lure victims into downloading an Android trojan called Triada. This trojan can relinquish control of the application to perpetrators, as well as the viewing of messages.

The infected build of YoWhatsApp is a fully working messenger with some additional features, such as customising interfaces. When installed it asks permission to access SMS, this access is then granted to the Triada trojan. More than 3,600 users have been targeted by this attack between August and October, according to a report by Kaspersky.

Can anything be done to stop Android malware

Google has released measures that are coming into force this month that aim to protect users from installing apps that may not have the latest privacy and security features. 

According to the Android developers blog, “Starting on November 1, 2022, existing apps that don’t target an API level within two years of the latest major Android release version will not be available for discovery or installation for new users with devices running Android OS versions higher than apps’ target API level.”

This means that users with the latest devices or those who are fully caught up on Android updates will only have access to fully secure apps. “Expanding our target level API requirements will protect users from installing apps that do not have these protections in place,” the blog adds.

Read more: North Korean hackers target US Android users

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.