ESET Research: Android malware Kamran spying via news app on residents of the disputed Kashmir region
Created: 2023-11-17 04:47:24
- ESET Research has discovered Android spyware, which ESET researchers named Kamran, that has been distributed via a possible watering-hole attack on the Hunza News website.
- The malware targets residents using Urdu language in Gilgit-Baltistan, part of the disputed Kashmir region that is administered by Pakistan.
- The malicious app prompts the user to grant it permissions to access various information. If accepted, it gathers data about contacts, calendar events, call logs, location information, device files, SMS messages, and images.
BRATISLAVA, KOŠICE — November 09, 2023 — ESET researchers have identified what appears to be a watering-hole attack on a regional news website that delivers news about Gilgit-Baltistan, a region administered by Pakistan. Gilgit-Baltistan consists of the northern region of the greater Kashmir territory, embroiled in longstanding disputes involving India and Pakistan (since 1947) as well as between India and China (since 1959). Watering-hole attacks are a type of threat where a commonly visited website is compromised to serve malware. When opened on a mobile device, the Urdu version of the Hunza News website offers readers the possibility to download the Hunza News Android app directly from the website; however, the app has malicious espionage capabilities. Urdu is the official and main language of communication used for inter-ethnic communication within this disputed region. ESET has named this previously unknown spyware Kamran.
The word Kamran was used by ESET to name this spyware due to its package name “com.kamran.hunzanews.” Kamran is a common given name in Pakistan and other Urdu-speaking regions; in Farsi, which is spoken by some minorities in Gilgit-Baltistan, it means fortunate or lucky.
The Hunza News website has both English and Urdu versions; English is the second official language spoken in the region. The English mobile version doesn’t provide any app for download. However, only the Urdu version on mobile offers to download the Android spyware in question. While the English and Urdu desktop versions also offer the Android spyware, it is not compatible with desktop operating systems. ESET Research reached out to Hunza News regarding Kamran, however, the website provided no response prior to the publication of this research.
The Kamran spyware displays the content of the Hunza News website but also contains custom malicious code. Upon launching, the malicious app prompts the user to grant it permissions to access various information. If accepted, it gathers data about contacts, calendar events, call logs, location information, device files, SMS messages, images, etc. If the requested permissions to the app are granted, Kamran automatically gathers this sensitive user data and uploads it to a hardcoded command and control (C&C) server. The C&C server was reported to Google, as the platform misused by the spyware is provided by them. However, the malware lacks remote control capabilities.
This malicious app has never been offered through the Google Play Store but is instead downloaded from a source referred to as Unknown by Google, to install this app, the user is requested to enable the option to install apps from unknown sources. ESET was able to identify at least 22 compromised smartphones, with five of them being located in Pakistan.
The malicious app appeared on the website sometime between January 7, 2023, and March 21, 2023; the developer certificate of the malicious app was issued on January 10, 2023. During that time, protests were being held in Gilgit-Baltistan for various reasons encompassing land rights, taxation concerns, prolonged power outages, and a decline in subsidized wheat provisions.
“With a high degree of confidence, we can affirm that the malicious app specifically targeted Urdu-speaking users, who accessed the website via Android devices. However, since Kamran demonstrates a unique codebase, distinct from other Android spyware, this prevents its attribution to any known advanced persistent threat – APT – group,” says ESET researcher Lukáš Štefanko, who discovered the Kamran spyware. “This spyware shows once again that it is important to reiterate the importance of downloading apps exclusively from trusted and official sources,” he adds.
Hunza News, likely named after the Hunza District or the Hunza Valley, is an online newspaper delivering news related to the Gilgit-Baltistan region. Internet archive data shows that the site has been delivering news since 2013. In 2015, Hunza News started to provide a legitimate Android application that was available on the Google Play Store. Based on available data, ESET Research believes two versions of this app were released on Google Play, with neither containing any malicious functionality.
For more technical information about Kamran spyware, check out the blogpost “Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan.” Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.