Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

SandStrike, the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesnt mean attackers arent constantly trying to deploy other sophisticated mobile malware as well.
The latest example is SandStrike, a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.
The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Irans Bahai community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.
To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.
According to Kaspersky
, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.
The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Groups notorious Pegasus spyware
along with emerging problems like Hermit
.
The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a
500% increase in mobile malware delivery attempts
in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.
The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data.
Google and Apples official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.
Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesnt allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.
Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general
spying and surveillance
. One of these threats — FluBot — has been largely quiet since the
disruption of its infrastructure
in a coordinated law enforcement action in June.
Proofpoint found that mobile malware is not confined to a specific region or language. Instead, threat actors adapt their campaigns to a variety of languages, regions and devices, the company warned.
Meanwhile, Kaspersky said it blocked
some 5.5 million malware, adware, and riskware attacks
targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and
malware downloaders
. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.
The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a
checklist of actions
that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware