The researchers found that the Bahamut group uses Trojan versions of Soft VPN and OpenVPN for Android for espionage. They spread malware through a fake website under the guise of a legitimate SecureVPN. Trojan VPN works fine, but steals contacts, logs, geolocation, SMS and correspondence from half a dozen messengers.
Fortunately, the malware did not glow in the Google store – apparently, it was distributed point-by-point to specific victims of the campaign. Bahamut has been active since 2016 and has been seen spying in the Middle East and South Asia. And so, the news is right under bloggers with low social responsibility, posting stories about VPN for a small price. The Monero Trojan from Bahamut, of course, does not mine and the phone will not discharge five times a day. But he copes with the theft of information perfectly.