Threat actors are using newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Android users.
They focus on Persian-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East.
The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions.
To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN.
“To lure victims into downloading spyware implants, the SandStrike adversaries set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed materials, setting up an effective trap for adherents of this belief,” Kaspersky said.
“Most of these social media accounts contain a link to a Telegram channel also created by the attacker.”
While the app is fully functional and even uses its own VPN infrastructure, the VPN client also installs the SandStrike spyware, which scours their devices for sensitive data and exfiltrates it to its operators’ servers.
This malware will steal various types of information like call logs and contact lists and will also monitor compromised Android devices to help its creators keep track of the victims’ activity.