Urdu-speaking individuals who visit a local news website catering to the Gilgit-Baltistan region may find themselves unwitting targets of a watering hole attack. This sophisticated attack aims to deploy an Android spyware named Kamran, which has not been documented before.
The attack, uncovered by ESET, capitalizes on the popularity of Hunza News (urdu.hunzanews[.]net). Upon accessing the site on a mobile device, users of the Urdu version are prompted to install the Android app directly hosted on the website.
However, this seemingly innocent app harbors malicious capabilities, having successfully compromised a minimum of 20 mobile devices to date. The spyware has been present on the website between January 7 and March 21, 2023, coinciding with significant regional protests related to land rights, taxation, and widespread power outages.
Once installed, the malware becomes active and requests intrusive permissions, enabling it to extract sensitive information from the infected devices. This includes contacts, call logs, calendar events, location data, files, SMS messages, photos, a list of installed apps, and device metadata. The harvested data is subsequently transmitted to a command-and-control (C2) server hosted on Firebase.
Kamran, while lacking remote control capabilities, is designed with simplicity, executing its data extraction activities only when the victim opens the app. Notably, it lacks mechanisms to track previously transmitted data. Consequently, it repeatedly sends the same information, along with any new data meeting its criteria, to the C2 server. As of now, Kamran has not been linked to any known threat actor or group.
Security researcher Lukáš Štefanko emphasized the malicious nature of this app, noting that it has never been available on the Google Play store and must be downloaded from an unidentified source categorized as “unknown” by Google. Users attempting to install the app are required to enable the option allowing installations from unknown sources, heightening the risk of compromise.
CyberSec84 | Cybersecurity news. 
Leave a comment