ISLAMABAD – Cyber security researchers have found five trojanized versions of legitimate Android apps that carry out covert surveillance and espionage targeting users in Pakistan….
Designed to masquerade apps such as the Pakistan Citizen Portal, Pakistan Salat Time, Mobile Packages Pakistan, Registered SIMs Checker, and TPL Insurance, the malicious variants have been found to obfuscate their operations to stealthily download a payload in the form of an Android Dalvik executable (DEX) file.
“The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages,” Sophos threat researchers Pankaj Kohli and Andrew Brandt said. “The app then sends this information to one of a small number of command-and-control websites hosted on servers located in Eastern Europe.”
NEW Android spyware targets users in Pakistan 📲
The apps seem focused on stealing sensitive data from the phones of Pakistani residents…
— SophosLabs (@SophosLabs) January 12, 2021
The fake version of the Pakistan Citizen Portal was also earlier prominently displayed as an image on the Trading Corporation of Pakistan (TCP) website, potentially in an attempt to lure unsuspecting users into downloading the malware-laced app that also transmits sensitive information such as users’ computerised national identity card numbers, passport details, and the username and password for Facebook and other accounts.
Sophos researchers also discovered an app called Pakistan Chat that didn’t have a benign analogue distributed via the Google Play Store. But the app was found to leverage the API of a legitimate chat service, ChatGum. Once installed, the app requests permissions that allow it to gather personal data on the victim’s device including detailed profile information about the phone, location information, contact lists, SMS contents, call logs, and the full directory listing of internal as well as SD card storage.