BRATISLAVA, KOŠICE — November 09, 2023 — ESET researchers have identified what appears to be a watering-hole attack on a regional news website that delivers news about Gilgit-Baltistan, a region administered by Pakistan. Gilgit-Baltistan consists of the northern region of the greater Kashmir territory, embroiled in longstanding disputes involving India and Pakistan (since 1947) as well as between India and China (since 1959). Watering-hole attacks are a type of threat where a commonly visited website is compromised to serve malware. When opened on a mobile device, the Urdu version of the Hunza News website offers readers the possibility to download the Hunza News Android app directly from the website; however, the app has malicious espionage capabilities. Urdu is the official and main language of communication used for inter-ethnic communication within this disputed region. ESET has named this previously unknown spyware Kamran.
The word Kamran was used by ESET to name this spyware due to its package name “com.kamran.hunzanews.” Kamran is a common given name in Pakistan and other Urdu-speaking regions; in Farsi, which is spoken by some minorities in Gilgit-Baltistan, it means fortunate or lucky.
The Hunza News website has both English and Urdu versions; English is the second official language spoken in the region. The English mobile version doesn’t provide any app for download. However, only the Urdu version on mobile offers to download the Android spyware in question. While the English and Urdu desktop versions also offer the Android spyware, it is not compatible with desktop operating systems. ESET Research reached out to Hunza News regarding Kamran, however, the website provided no response prior to the publication of this research.
The Kamran spyware displays the content of the Hunza News website but also contains custom malicious code. Upon launching, the malicious app prompts the user to grant it permissions to access various information. If accepted, it gathers data about contacts, calendar events, call logs, location information, device files, SMS messages, images, etc. If the requested permissions to the app are granted, Kamran automatically gathers this sensitive user data and uploads it to a hardcoded command and control (C&C) server. The C&C server was reported to Google, as the platform misused by the spyware is provided by them. However, the malware lacks remote control capabilities.
This malicious app has never been offered through the Google Play Store but is instead downloaded from a source referred to as Unknown by Google, to install this app, the user is requested to enable the option to install apps from unknown sources. ESET was able to identify at least 22 compromised smartphones, with five of them being located in Pakistan.
The malicious app appeared on the website sometime between January 7, 2023, and March 21, 2023; the developer certificate of the malicious app was issued on January 10, 2023. During that time, protests were being held in Gilgit-Baltistan for various reasons encompassing land rights, taxation concerns, prolonged power outages, and a decline in subsidized wheat provisions.
“With a high degree of confidence, we can affirm that the malicious app specifically targeted Urdu-speaking users, who accessed the website via Android devices. However, since Kamran demonstrates a unique codebase, distinct from other Android spyware, this prevents its attribution to any known advanced persistent threat – APT – group,” says ESET researcher Lukáš Štefanko, who discovered the Kamran spyware. “This spyware shows once again that it is important to reiterate the importance of downloading apps exclusively from trusted and official sources,” he adds.
Hunza News, likely named after the Hunza District or the Hunza Valley, is an online newspaper delivering news related to the Gilgit-Baltistan region. Internet archive data shows that the site has been delivering news since 2013. In 2015, Hunza News started to provide a legitimate Android application that was available on the Google Play Store. Based on available data, ESET Research believes two versions of this app were released on Google Play, with neither containing any malicious functionality.
For more technical information about Kamran spyware, check out the blogpost “Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan.” Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X (Twitter).
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。