This Android chat app is actually spyware that steals your data — how to stay safe

Android malware botnet attack
(Image credit: Shutterstock)

Under the guise of providing Android users with a more secure way to chat, hackers are now using a fake chat app to install spyware on vulnerable smartphones.

As reported by BleepingComputer, a fake Android app called ‘SafeChat’ is making the rounds online by claiming to be one of the best encrypted messaging apps. However, instead of offering end-to-end encrypted chats, the app is actually spyware capable of stealing call logs, text messages and users’ GPS locations from infected smartphones.

SafeChat was first discovered by researchers at the Singapore-based cybersecurity firm CYFIRMA who detailed their findings in a new report. According to the firm, the Indian advanced persistent threat (APT) hacking group ‘Bahamut’ is behind this new campaign. However, CYFIRMA’s security researchers have also found several similarities with another Indian state-sponsored threat group called ‘DoNoT APT’ which in the past, was found uploading fake chat apps that also acted as spyware to the Google Play Store.

The Bahamut group has a history of creating malicious apps and at the end of last year, it was found distributing fake VPN apps which also had extensive spyware capabilities.

Stealing data from other chat apps

In its report on the matter, CYFIRMA doesn’t go into too many details on how Safe Chat is currently being distributed but it does explain that users in South Asia are being targeted by the hackers behind this campaign. Like with other malicious apps though, they could easily expand their operation and begin targeting users in the U.S. and Europe.

What we do know though is that Safe Chat has a convincing interface that makes it appear like a real encrypted messaging app. New users are also taken through a registration process that helps add credibility to what is essentially spyware.

Just like other malicious Android apps, during installation, Safe Chat requests that users give the app access to the operating system’s Accessibility Services which are then abused to automatically grant even more permissions to the spyware. These are what allow it to access the contacts, text messages, call logs, storage and GPS location data from infected smartphones.

By examining Safe Chat’s Android Manifest file, CYFIRMA discovered that Safe Chat is designed to interact with any other chat apps installed on a compromised device including Telegram, Signal, WhatsApp, Viber and Facebook Messenger. This allows the spyware to steal data from them which is then sent back to a command and control (C&C) server operated by the hackers behind this campaign. 

How to stay safe from malicious chat apps

A hand holding a phone securely logging in

(Image credit: Google)

During campaigns like the one described above, hackers will often suggest that potential victims install a new chat app in order to move their conversation to a platform that is more secure. Anytime someone you don’t know or don’t know that well tries to persuade you to install new software or a new app on your phone, this is a major red flag and something that you should avoid at all costs. This is especially true if they send you a link to download and sideload the app instead of installing it from an official app store like the Play Store, Amazon App Store or the Samsung Galaxy Store. 

At the same time, you should be using one of the best Android antivirus apps to protect your smartphone from malicious apps and spyware. If you’re on a tight budget, Google Play Protect also scans all of your existing apps and any new ones you download for malware but this free app that ships with most Android phones doesn’t have the same functionality and features that paid Android antivirus apps do.

Tricking unsuspecting users into downloading new apps that claim to be safer than more well-established apps is a common trick used by hackers. However, it’s up to you to remain vigilant and avoid falling for their tricks.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.