Over the past few years, Google’s efforts to remove malicious and spyware apps from the Play Store have been commendable, but every once in a while, there are a few apps which go under the radar. Now, according to a new report from Cyfirma, two spyware apps, namely nSure Chat and iKHfaa VPN, have been actively infecting users’ devices to gain unauthorized access.
The iKHfaa VPN, backed by the Indian hacking group known as “DoNot” or APT-C-35 and operating from Pakistan, is particularly deceptive, as it not only copied the code from an app called “Liberty VPN” but also injected additional code to access contact lists and enable real-time tracking of users’ locations.
Telltale signs of malware
Although these apps may initially appear legitimate, their installation process should raise concerns among users. This is because, unlike genuine VPNs, which require minimal permissions, the iKHfaa VPN accesses users’ contact lists and precise location data. And once the app has the necessary permissions, it collects the required data and sends it to the threat actor’s command-and-control (C2) server via an HTTP request.
However, the fact that the developer of these malicious apps, SecurITY Industry, also has a third app that seems non-malicious raises some questions about the group’s intentions. Nonetheless, if you either have the nSure Chat or iKHfaa VPN installed on your device, delete it immediately.
Implementing security measures
While the relatively low number of downloads for these spyware apps suggests that the threat actors are specifically targeting individuals, this incident once again highlights the ever-growing importance for users to implement stringent security measures. These measures include reading the terms and reviews of any app before installing it and carefully reviewing the permissions the app requests. Moreover, if any app on your phone causes excessive heating, sluggish performance, or rapid battery depletion, it could also be malware.