Pakistan Users Being Spied By New Trojanized Android Applications
A new spyware operation was uncovered by cybersecurity researchers that were aimed to observe and monitor Pakistan users secretly using trojanized variants of genuine apps of android. The designed trojanized variants of apps were mirrors of Pakistan Citizen Portal, Mobile Packages Pakistan, Registered SIMs checker, Pakistan Salat Time (Muslims prayer clock app), and TPL Insurance.
These trojanized variants of the android app have been discovered to make unclear their operation of silently and secretly downloading a payload in the form of an Android file called DEX (Dalvik Executable). This payload was capable of performing functions like extracting the user’s contact list and reading the contents of all SMSs in the targeted device. This extracted data is then transmitted to one of the many command-and-control servers present in eastern Europe.
Cybersecurity researchers from Sophos in an article stated the details as “The modified apps look identical to their legitimate counterparts, and even perform their normal functions, but are designed to, initially, profile the phone, and then download a payload in the form of an Android Dalvik executable (DEX) file. The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages. The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe.”
Quite shockingly the duplicate website of Pakistan Citizen Portal was advertised conspicuously on the TCP (Trading Corporation of Pakistan) website, in a format of a static image, in a hope that users will undoubtedly download trojanized apps from the duplicate fake website. However, the TCP website now displays a message that reads down for maintenance. Other than the previously mentioned applications, Sophos scientists additionally found a different application considered Pakistan Chat that didn’t have a favorable simple appropriation to be distributed by the Google Play Store, and yet, the application was found to use the API of a real chat administration called ChatGum.
As soon as the installation of the app is completed, it generates requests to gain permissions regarding access to system files, locations, contacts, read messages, microphone which enables it to collect huge amounts of information from the infected device. All the listed apps had a single aim to observe, monitor, and extract data from the infected device. Other major functions that DEX payload served were extracting and transmitting the IMEI number of the device, extracting call logs, and the complete list of all available directories on the device.
Unfortunately, the Pakistan Citizen Portal app was also discovered exfiltrating confidential data like CNIC (Computerized Nationality Identity Card) numbers with usernames and passwords of accounts like Facebook and others and also, their passport details. Researchers said “The Pakistan Citizen Portal app prompts the user to enter their national ID credentials, such as their national identity card (CNIC) number, their passport details, and the username and password for Facebook and other accounts. In tests, this information was exfiltrated along with the rest.”
This is another instance of why everyone should download apps only from verified and trusted sources and filter out which permissions to grant and which to deny. Researchers winded by explaining how and why such attacks are possible. Describing that in today’s world, apps are signed cryptographically to display the ensurity that the app is from a genuine source and developer. Researchers also believe that androids aren’t good enough to verify the genuinity of an app’s source and even users don’t have any simple way to detect that the app is from a genuine developer or not which leads to attackers creating clones of applications and publishing them openly for malicious purposes.
It gets harder to stop such attacks due to free will users have to download apps from any source, including a number of app stores. “To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Developers of popular apps often have a website, which directs the users to the genuine app. Users should verify if the app was developed by its genuine developer. We also advise users to consider installing an antivirus app on their mobile device such as Sophos Intercept X for Mobile that defends their device and data from such threats” researchers ended.