SideWinder Hackers Plant Fake Android VPN App in Google Play Store


Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices posted on the Google Play Store along with a custom tool that filters victims for better targeting.

SideWinder is an APT group active since at least 2012, considered an Indian-born player with a relatively high level of sophistication.

Kaspersky security researchers have attributed nearly 1,000 attacks to this group over the past two years. Among its main targets are organizations in Pakistan, China, Nepal and Afghanistan.

The adversary relies on quite a large infrastructure with more than 92 IP addresses, mainly for phishing attacks, hosting hundreds of domains and subdomains used as command and control servers.

SideWinder APT Group Framework
The SideWinder APT group infrastructure, The source: Group-IB

A recent phishing campaign attributed to SideWinder (aka RattleSnake, Razor Tiger, T-APT-04, APT-C-17, Hardcore Nationalist) targeted organizations in Pakistan in both the public and private sectors.

Earlier this year, researchers at cybersecurity firm Group-IB detected a phishing document luring victims with a document offering “a formal discussion on the impact of the US withdrawal from Afghanistan on maritime security.”

Lure used by the SideWinder APT group in a phishing campaign
Lure used by the SideWinder APT group in a phishing campaign, The source: Group-IB

In a report shared with BleepingComputer, Group-IB states that SideWinder has also been observed in the past cloning a government website (for example, a government portal in Sri Lanka) to steal user credentials.

The recent phishing campaign also used this method against targets, as the actor created several websites that imitated legitimate Pakistani government domains:

  • finance.pakgov[.]report
  • vpn.pakgov[.]report
  • csd.pakgov[.]report
  • hajj.pakgov[.]report
  • nadra.pakgov[.]report
  • pt.pakgov[.]report
  • flix.pakgov[.]report
  • covid.pakgov[.]report

During the investigation, researchers discovered a phishing link redirected to the legitimate domain “”. Its purpose remains unclear, but it could be to select targets of interest and redirect them to a malicious site.

Another link discovered by Group-IB downloaded from Google Play, the official Android app store, a fake version of the ‘Secure VPN’ app, which is still present on Google Play at the time of writing and counts quite a bit more than 10 downloads.

Fake Secure VPN app in Google Play used by SiderWinder APT in phishing campaign
Fake Secure VPN app in Google Play used by SiderWinder APT in a phishing campaign, source: BleepingComputer

The researchers note that the available description for SideWinder’s fake Secure VPN app was copied from the legitimate NordVPN app.

At runtime, the fake Secure VPN application sends a few requests to two domains probably owned by the attacker, but these were not available during the investigation and a request to the root directory is redirected to the NordVPN domain legit.

Unfortunately, researchers could not confirm the purpose of the fake VPN app or whether it is malicious or not. However, SideWinder has used fake apps on Google Play in the past, as shown past Trend Micro research.

The list of actions previous fake SideWinder apps could perform included collecting and sending to the command and control server information such as:

  • Location
  • Battery status
  • Files on the device
  • List of installed applications
  • Device Information
  • Sensor Information
  • Camera Information
  • Screenshot
  • Account
  • Wifi information
  • Data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail and Chrome

their applications are able to collect a number of parameters about the targeted hosts and send the information back to their C2. These settings include: location, battery status, files on device, list of installed apps, device info, sensor info, camera info, screenshot, account, Wi-Fi info, data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail and Chrome. .

Group-IB also discovered that the adversary was using a custom tool recently added to its arsenal, tracked internally by Group-IB as SideWinder.AntiBot.Script.

“The script checks the environment of the client browser and, based on several parameters, decides whether to emit a malicious file or redirect to a legitimate resource” – Group-IB

If the script detects a visitor from an IP address in Pakistan, it redirects to a malicious location. The following parameters are checked to determine whether a visitor is a potential target or not:

  • Geographical position
  • Operating system version
  • User agent data
  • System language settings

It can also determine the number of logical processors on the system and the video card used by the host, as well as access the credentials container in the web browser, which can return saved passwords.

The video card check is likely to determine if the host is being used for malware scanning, as it is compared to the screen size of the device.

Another function of the script, the most important, is used to serve a malicious file and redirect an irrelevant target to a legitimate resource.

Based on its findings, Group-IB assesses that SideWinder’s infrastructure is widely available to deploy new command and control servers to support phishing activities.


About Author

Comments are closed.