Android malware spying on Urdu-speaking residents of Gilgit-Baltistan

ESET researchers have recognized what seems to be a watering-hole assault on a regional information web site that delivers information about Gilgit-Baltistan, a disputed area administered by Pakistan. When opened on a cellular gadget, the Urdu model of the Hunza Information web site gives readers the likelihood to obtain the Hunza Information Android app instantly from the web site, however the app has malicious espionage capabilities. We named this beforehand unknown adware Kamran due to its bundle identify com.kamran.hunzanews. Kamran is a typical given identify in Pakistan and different Urdu-speaking areas; in Farsi, which is spoken by some minorities in Gilgit-Baltistan, it means lucky or fortunate.

The Hunza Information web site has English and Urdu variations; the English cellular model doesn’t present any app for obtain. Nevertheless, the Urdu model on cellular gives to obtain the Android adware. It’s value mentioning that each English and Urdu desktop variations additionally supply the Android adware; though, it isn’t suitable with desktop working programs. We reached out to the web site regarding the Android malware. Nevertheless, previous to the publication of our blogpost, we didn’t obtain any response.

Key factors of the report:

• Android adware, which we named Kamran, has been distributed through a potential watering-hole assault on the Hunza Information web site.
• The malware targets solely Urdu-speaking customers in Gilgit-Baltistan, a area administered by Pakistan.
• The Kamran adware shows the content material of the Hunza Information web site and accommodates customized malicious code.
• Our analysis reveals that not less than 20 cellular units had been compromised.

Upon launching, the malicious app prompts the consumer to grant it permissions to entry varied information. If accepted, it gathers information about contacts, calendar occasions, name logs, location data, gadget information, SMS messages, photos, and so on. As this malicious app has by no means been provided by means of the Google Play retailer and is downloaded from an unidentified supply known as Unknown by Google, to put in this app, the consumer is requested to allow the choice to put in apps from unknown sources.

The malicious app appeared on the web site someday between January 7, 2023, and March 21, 2023; the developer certificates of the malicious app was issued on January 10, 2023. Throughout that point, protests had been being held in Gilgit-Baltistan for varied causes encompassing land rights, taxation issues, extended energy outages, and a decline in backed wheat provisions. The area, proven within the map in Determine 1, is beneath Pakistan’s administrative governance, consisting of the northern portion of the bigger Kashmir area, which has been the topic of a dispute between India and Pakistan since 1947 and between India and China since 1959.

Overview

Hunza Information, probably named after the Hunza District or the Hunza Valley, is an internet newspaper delivering information associated to the Gilgit-Baltistan area.

The area, with a inhabitants of round 1.5 million, is known for the presence of among the highest mountains globally, internet hosting 5 of the esteemed “eight-thousanders” (mountains that peak at greater than 8,000 meters above sea degree), most notably K2, and is subsequently often visited by worldwide vacationers, trekkers, and mountaineers. Due to the protests in spring 2023, and extra ones taking place in September 2023, the US and Canada have issued journey advisories for this area, and Germany advised vacationers ought to keep knowledgeable concerning the present state of affairs.

Gilgit-Baltistan can be an necessary crossroad due to the Karakoram Freeway, the one motorable street connecting Pakistan and China, because it permits China to facilitate commerce and power transit by accessing the Arabian Sea. The Pakistani portion of the freeway is presently being reconstructed and upgraded; the efforts are financed by each Pakistan and China. The freeway is often blocked by injury attributable to climate or protests.

The Hunza Information web site gives content material in two languages: English and Urdu. Alongside English, Urdu holds nationwide language standing in Pakistan, and in Gilgit-Baltistan, it serves because the widespread or bridge language for interethnic communications. The official area of Hunza Information is hunzanews.web, registered on Might 22^nd, 2017, and has been persistently publishing on-line articles since then, as evidenced by Web Archive information for hunzanews.web.

Previous to 2022, this on-line newspaper additionally used one other area, hunzanews.com, as indicated within the web page transparency data on the location’s Fb web page (see Determine 2) and the Web Archive information of hunzanews.com, Web Archive information additionally reveals that hunzanews.com had been delivering information since 2013; subsequently, for round 5 years, this on-line newspaper was publishing articles through two web sites: hunzanews.web and hunzanews.com. This additionally signifies that this on-line newspaper has been energetic and gaining on-line readership for over 10 years.

In 2015, hunzanews.com began to supply a respectable Android utility, as proven in Determine 3, which was obtainable on the Google Play retailer. Based mostly on obtainable information we consider two variations of this app had been launched, with neither containing any malicious performance. The aim of those apps was to current the web site content material to readers in a user-friendly method.

Within the second half of 2022, the brand new web site hunzanews.web underwent visible updates, together with the elimination of the choice to obtain the Android app from Google Play. Moreover, the official app was taken down from the Google Play retailer, probably on account of its incompatibility with the newest Android working programs.

For a number of weeks, from not less than December 2022 till January 7^th, 2023, the web site offered no choice to obtain the official cellular app, as proven in Determine 4.

Based mostly on Web Archive information, it’s evident that not less than since March 21^st, 2023, the web site reintroduced the choice for customers to obtain an Android app, accessible through the DOWNLOAD APP button, as depicted in Determine 5. There isn’t a information for the interval between January 7^th and March 21^st, 2023, which may assist us pinpoint the precise date of the app’s reappearance on the web site.

When analyzing a number of variations of the web site, we got here throughout one thing attention-grabbing: viewing the web site in a desktop browser in both language model of Hunza Information – English (hunzanews.web) or Urdu (urdu.hunzanews.web) – prominently shows the DOWNLOAD APP button on the high of the webpage. The downloaded app is a local Android utility which can’t be put in on a desktop machine and compromise it.

Nevertheless, on a cellular gadget, this button is solely seen on the Urdu language variant (urdu.hunzanews.web), as proven in Determine 6.

With a excessive diploma of confidence, we will affirm that the malicious app is particularly focused at Urdu-speaking customers who entry the web site through an Android gadget. The malicious app has been obtainable on the web site for the reason that first quarter of 2023.

Clicking on the DOWNLOAD APP button triggers a obtain from https://hunzanews[.]web/wp-content/uploads/apk/app-release.apk. As this malicious app has by no means been provided by means of the Google Play retailer and is downloaded from a third-party website to put in this app, the consumer is requested to allow the non-default, Android choice to put in apps from unknown sources.

Victimology

Kamran

Kamran is beforehand undocumented Android adware characterised by its distinctive code composition, distinct from different, identified adware. ESET detects this adware as Android/Spy.Kamran.

We recognized just one model of a malicious app containing Kamran, which is the one obtainable to obtain from the Hunza Information web site. As defined within the Overview part, we’re unable to specify the precise date on which the app was positioned on the Hunza Information web site. Nevertheless, the related developer certificates (SHA-1 fingerprint: DCC1A353A178ABF4F441A5587E15644A388C9D9C), used to signal the Android app, was issued on January 10^th, 2023. This date gives a ground for the earliest time that the malicious app was constructed.

In distinction, respectable functions from Hunza Information that had been previously obtainable on Google Play had been signed with a special developer certificates (SHA-1 fingerprint: BC2B7C4DF3B895BE4C7378D056792664FCEEC591). These clear and legit apps exhibit no code similarities with the recognized malicious app.

Upon launching, Kamran prompts the consumer to grant permissions for accessing varied information saved on the sufferer’s gadget, equivalent to contacts, calendar occasions, name logs, location data, gadget information, SMS messages, and pictures. It additionally presents a consumer interface window, providing choices to go to Hunza Information social media accounts, and to pick out both the English or Urdu language for loading the contents of hunzanews.web, as proven in Determine 7.

If the abovementioned permissions are granted, the Kamran adware routinely gathers delicate consumer information, together with:

• SMS messages
• contacts checklist
• name logs
• calendar occasions
• gadget location
• checklist of put in apps
• acquired SMS messages
• gadget data
• photos

Apparently, Kamran identifies accessible picture information on the gadget (as depicted in Determine 8), obtains the file paths for these photos, and shops this information in an images_db database, as demonstrated in Determine 9. This database is saved within the malware’s inside storage.

All kinds of information, together with the picture information, are uploaded to a hardcoded command and management (C&C) server. Apparently, the operators opted to make the most of Firebase, an internet platform, as their C&C server: https://[REDACTED].firebaseio[.]com. The C&C server was reported to Google, because the platform is offered by this know-how firm.

You will need to notice that the malware lacks distant management capabilities. Consequently, consumer information is exfiltrated through HTTPS to the Firebase C&C server solely when the consumer opens the app; information exfiltration can not run within the background when the app is closed. Kamran has no mechanism monitoring what information has been exfiltrated, so it repeatedly sends the identical information, plus any new information assembly its search standards, to its C&C.

Conclusion

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis gives non-public APT intelligence studies and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

Information

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 13 of the MITRE ATT&CK framework.