The campaign is sophisticated considering the use of fake yet convincing apps and domains.
The use of the Android smartphone operating system is quite popular in Pakistan but at the same time, it is a lucrative target for cybercriminals and State-backed hackers, thanks to third-party stores. One such example is a recent report from Sophos according to which a sophisticated spyware campaign is targeting Android users in the country with the help of fake apps.
Espionage Operation Against Pakistani Users
Sophos cybersecurity researchers have uncovered a new spyware campaign whose primary targets are Android users in Pakistan. In this campaign, threat actors are using trojanized versions of genuine Android apps to spy on users.
In their report, researchers wrote that they have identified a small ‘cluster of trojanized versions of Android apps,’ modified to add malicious features. These features make the app capable of carrying out surveillance and espionage silently. The clean versions of these apps are available on Google Play Store.
Apps Download a DEX Executable:
The modified apps are identical to their original counterparts and perform their legit functions normally and download a payload as an Android Dalvik executable file after profiling the victim’s phone. Most of the malicious features are embedded in the DEX payload.
This includes discreetly silently exfiltrating sensitive data such as the contact list and SMS messages’ full contents. The information is then sent to several C&C websites hosted by servers located in eastern Europe.
‘Highly Peculiar’ Selection of Apps
The trojanized apps are disguised as popular Pakistani apps, including:
- The Pakistan Citizen Portal
- Registered SIMs Checker
- Mobile Packages Pakistan TPL insurance
- Pakistan Salat Time – a Muslim prayer time app
According to Andrew Brandt and Pankaj Kohli from the Sophos threat analysis team, the Pakistan Citizen Portal’s fake version was also displayed as a static image on the Trading Corporation of Pakistan website, probably to lure unsuspecting users into downloading the malicious app.
Sophos researchers also identified another malicious app called Pakistan Chat, which leveraged a legitimate chat service ChatGum’s API, but didn’t distribute a payload. After it is installed, the app asks for intrusive permissions, including accessing the file system, contacts, microphone, location, and read SMS messages.
A Singular Purpose:
Sophos researchers believe that the trojanized apps have just a single purpose: to spy and exfiltrate data from the infected device. These apps can send the phone’s unique IMEI identifier to the C&C server and relay detailed profile information, including call logs and a full directory listing of the device’s internal card storage.
Additionally, Pakistan Citizen Portal’s fake version can transmit sensitive data such as the user’s computerized NIC (national identity card), passport data, Facebook, or other social media accounts credentials.
That’s why it is important to stick to reliable sources like Google Play Store to download third-party apps, researchers recommended. It is also necessary to scrutinize app permissions before installing them.
“In the current Android ecosystem, apps are cryptographically signed as a way to certify the code originates with a legitimate source, tying the app to its developer. However, Android doesn’t do a good job exposing to the end-user when a signed app’s certificate isn’t legitimate or doesn’t validate. As such, users have no easy way of knowing if an app was indeed published by its genuine developer,” researchers advised in their blog post.
“This allows threat actors to develop and publish fake versions of popular apps. The existence of a large number of app stores, and the freedom of users to install an app from practically anywhere makes it even harder to combat such threats,” researchers concluded.