Fake Android VPN apps used by the SideWinder APT to target Pakistan

Fake Android VPN Mobile Apps SideWinder APT Threat Group Pakistan Malware Spear Phishing

The SideWinder APT group has included a new custom tool for malware strains in phishing attacks distributed to Pakistani organisations. The phishing links are attached to emails impersonating legitimate notifications and services of government departments and organisations in Pakistan.

SideWinder, an advanced persistent threat group that has been active since 2012, primarily focuses on attacking central Asian countries such as Bangladesh, Nepal, Singapore, Afghanistan, and Pakistan. A month ago, a separate researcher claimed that SideWinder has been responsible for roughly a thousand cyberattacks in the past couple of years.


SideWinder APT operators utilise a spear-phishing campaign to spread their payloads.


The SideWinder group’s plan of attack involves a spear-phishing email campaign to spread a malicious ZIP file that contains an LNK or RTF archive. These archives can download an HTML Application payload from a remotely operated server.

The threat actors accomplish this attack by attaching fraudulent links that the group creates to impersonate authentic notifications and services of Pakistan’s government agencies and private sectors.

The researchers then tracked the hacker group’s tool as “SideWinder[.]AntiBot[.]Script. The device behaves as a traffic direction system that redirects Pakistanis who click on phishing links to the hostile domain.

However, if a user has an IP address different from Pakistan’s IP on the link, the AntiBot script guides them to an authentic document found on a legitimate server. This information indicates that the threat actors attempt to geofence all their targets.

Based on the written report, the script will review the client browser environment, and it will decide whether the user will be issued with a malicious file or redirect it to a legitimate source.

Although the true purpose of the fake VPN application is still a mystery for researchers, this is not the first instance the group has bypassed the Google Play Store protections to offer rouge apps under the pretext of utility software.

A few years ago, an advisory was published regarding three malicious apps that mimicked a photography app and file management tools that exploited a critical vulnerability called Android CVE-2019-2215. The exploit enabled the threat actors to obtain root privileges and abuse accessibility service permissions to gather essential information.

About the author

Leave a Reply