Cybersecurity experts have revealed that a new spyware operation aiming users in Pakistan that influences trojanized versions of authentic Android apps to conduct clandestine surveillance and spying.
Designed to subterfuge apps such as the Pakistan Citizen Portal, a Muslim prayer-clock app called Pakistan Salat Time, Mobile Packages Pakistan, Registered SIMs Checker, and TPL Insurance, the spiteful alternatives have been found to obscure their operations to furtively download a payload in the form of an Android Dalvik executable (DEX) file.
Sophos threat researchers Pankaj Kohli and Andrew Brandt said: “The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages.”
“The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe.”
Remarkably, the forged website of the Pakistan Citizen Portal was also conspicuously displayed in the form of a stationary image on the Trading Corporation of Pakistan (TCP) website, possibly in an effort to bait unwary users into downloading the malware-laced app.
In addition to the above-mentioned apps, Sophos investigators also exposed a separate app called Pakistan Chat that didn’t have a benign analogue distributed via the Google Play Store. But the app was found to leverage the API of a legitimate chat service called ChatGum.
“The spying and covert surveillance capability of these modified Android apps highlight the dangers of spyware to smartphone users everywhere,” Pankaj Kohli said. “Cyber-adversaries target mobiles not just to get their hands on sensitive and personal information, but because they offer a real-time window into people’s lives, their physical location, movements, and even live conversations taking place within listening range of the infected phone.”