SandStrike, a previously undocumented Android malware targets a Persian-speaking religion minority

Threat actors are using previously undocumented Android spyware, dubbed SandStrike, to spy on a Persian-speaking religion minority.

In Q3 2022, Kaspersky researchers uncovered a previously undocumented Android spyware, dubbed SandStrike, employed in an espionage campaign targeting the Persian-speaking religion minority, Baháʼí.

The threat actors were distributing a VPN app embedding a highly sophisticated spyware.

The attackers set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed graphic materials in order to trick victims into downloading the tainted VPN app. The social media accounts were used to spread a link to a Telegram channel created to distribute the seemingly harmless VPN application. The app would have allowed users to access sites banned in certain regions. The threat actors also set up their own VPN infrastructure.

The spyware is able to steal sensitive a broad range of data, including call logs, contact lists, and also spy on victims’ activities.

“In June, we identified a previously unknown Android spyware app that targets Persian-speaking individuals. SandStrike is distributed as a means to access resources about the Baháʼí religion that are banned in Iran. It provides victims with a VPN connection that can be used to browse these resources. The spyware itself collects various data from the victims’ devices, such as call logs or lists of contacts.” reads the report published by Kaspersky. “During execution, it connects to the C2 server to request commands: these commands allow attackers to perform operations with the device file system.”

Kaspersky has not been attributed the campaign to any particular threat group.

“As we can see from the analysis of the last three months, APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns. In their attacks, they use cunning and unexpected methods: SandStrike, attacking users via VPN service, where victims tried to find protection and security, is an excellent example. Today it is easy to distribute malware via social networks and remain undetected for several months or even more. This is why it is so important to be as alert as ever and make sure you are armed with threat intelligence and the right tools to protect from existing and emerging threats,” explained Victor Chebyshev, lead security researcher at Kaspersky’s GReAT.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]