Recent findings from cybersecurity experts reveal a sophisticated spyware campaign aimed at users in Pakistan. This operation employs malicious variants of legitimate Android applications to conduct covert surveillance and data exfiltration.
The spyware masquerades as well-known applications, including those like the Pakistan Citizen Portal, a prayer timing app called Pakistan Salat Time, and others such as Mobile Packages Pakistan and TPL Insurance. These trojanized versions are designed to discretely execute actions that lead to downloading a malicious payload in the form of an Android Dalvik executable (DEX) file.
Sophos researchers, Pankaj Kohli and Andrew Brandt, noted that “the DEX payload encompasses numerous harmful features, enabling it to stealthily exfiltrate sensitive user information including contact lists and complete SMS content.” This data is subsequently transmitted to a handful of command-and-control servers located in Eastern Europe.
Moreover, a counterfeit version of the Pakistan Citizen Portal was notably displayed as a static image on the Trading Corporation of Pakistan (TCP) website. This strategy appears to be aimed at deceiving users into downloading the compromised application. Currently, the TCP website (tcp.gov.pk) displays a message indicating it is “Down for Maintenance.”
In addition to the aforementioned applications, researchers identified a distinct app named Pakistan Chat, which lacks a legitimate counterpart available on the Google Play Store. This app utilizes the legitimate API of a chat service known as ChatGum to operate.
Upon installation, these malicious apps request extensive permissions, such as access to contacts, location, file systems, microphone, and SMS messages. This access provides the perpetrator with a broad spectrum of sensitive data from the victim’s device.
The overarching aim of these applications is to conduct covert spying and gather extensive data from compromised devices. Notably, in addition to transmitting the device’s unique IMEI identifier, the DEX payload is capable of sending detailed device profiles, including location, contact lists, SMS content, call logs, and a complete directory of both internal and SD card storage.
Alarmingly, the counterfeit Pakistan Citizen Portal app also transmits critical personal information including computerized national identity card (CNIC) numbers, passport details, and credentials for social media accounts such as Facebook.
Pankaj Kohli emphasized the pervasive threat posed by these modified Android applications. He remarked, “These spyware attacks reveal significant risks that smartphone users face globally, not only targeting sensitive personal information but also providing adversaries with real-time insights into users’ lives, physical locations, and even ongoing conversations within earshot of an infected device.”
This incident underlines the imperative for users to exclusively download applications from trusted sources, verify the authenticity of app developers, and meticulously review app permissions before installation. The researchers concluded, “In the current Android ecosystem, while apps are signed cryptographically to assert their origins, the platform falls short in clearly indicating when this certification is compromised. Thus, users often lack straightforward methods to confirm whether an application is genuinely developed by its stated author.”
This situation creates a fertile ground for malicious actors to deploy counterfeit application versions. The multitude of app stores and the user autonomy to install applications from diverse origins only compound these security challenges.
