SandStrike Spyware Uses VPN App to Infect Android Devices
The Spyware Targets Primarily the Middle East Area.
Last updated on November 2, 2022
A newly discovered spyware is affecting more and more Android devices. Threat actors have become quite keen on SandStrike, spyware that they deliver via a malicious VPN app. The targeted group seems to be Persian-speaking practitioners of the Baháʼí Faith, a religion practiced in Iran and parts of the Middle East.
How SandStrike Works?
The VPN app used to spread the spyware is promoted by the attackers as a simple way to circumvent the censorship or religious materials in certain regions. They use social media accounts to redirect the victims to a Telegram channel, where they would provide the download links to the malicious app.
Without knowing, when the victims download the VPN, they also install the SandStrike spyware, which scans their devices looking for sensitive data and extracts them to the servers of its operators.
As per BleppingComputer, SandStrike targets different types of information such as contact lists, call logs, and other sensitive data, while also monitoring the victim’s device to help its user keep track of the victim’s activities. The malware is yet to be attributed to a specific threat group.
Malicious Activity in the Middle East Is Rising
The Middle East is becoming an increasing target for threat actors. Multiple attacks have been reported this year. A recent one targeted Iran as well when the country’s Atomic Energy Agency (AEOI) confirmed that they have been victims of the Black Reward hacking group.
In the Black Reward incident, the hacking group stole sensitive information such as emails, correspondence, and technical memos, and posted a 27GB 14-part collection of RAR archives on their Telegram channel. AEOI called this act an attack carried out of desperation, and it was carried out to attract the attention of the public and media outlets. The threat actors’ attack also contained the statement “For women, life, freedom,”, hinting at the case of Mehsa Amini, which sparked a series of ongoing protests in Iran.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.