ESET researchers have recognized what seems to be a watering-hole assault on a regional information web site that delivers information about Gilgit-Baltistan, a disputed area administered by Pakistan. When opened on a cell system, the Urdu model of the Hunza News web site presents readers the chance to obtain the Hunza News Android app immediately from the web site, however the app has malicious espionage capabilities. We named this beforehand unknown spy ware Kamran due to its bundle identify com.kamran.hunzanews. Kamran is a typical given identify in Pakistan and different Urdu-speaking areas; in Farsi, which is spoken by some minorities in Gilgit-Baltistan, it means lucky or fortunate.
The Hunza News web site has English and Urdu variations; the English cell model doesn’t present any app for obtain. However, the Urdu model on cell presents to obtain the Android spy ware. It is value mentioning that each English and Urdu desktop variations additionally supply the Android spy ware; though, it isn’t appropriate with desktop working methods. We reached out to the web site in regards to the Android malware. However, previous to the publication of our blogpost, we didn’t obtain any response.
Key factors of the report:
- Android spy ware, which we named Kamran, has been distributed by way of a attainable watering-hole assault on the Hunza News web site.
- The malware targets solely Urdu-speaking customers in Gilgit-Baltistan, a area administered by Pakistan.
- The Kamran spy ware shows the content material of the Hunza News web site and comprises customized malicious code.
- Our analysis reveals that at the least 20 cell units have been compromised.
Upon launching, the malicious app prompts the consumer to grant it permissions to entry numerous knowledge. If accepted, it gathers knowledge about contacts, calendar occasions, name logs, location data, system information, SMS messages, photos, and many others. As this malicious app has by no means been supplied by way of the Google Play retailer and is downloaded from an unidentified supply known as Unknown by Google, to put in this app, the consumer is requested to allow the choice to put in apps from unknown sources.
The malicious app appeared on the web site someday between January 7, 2023, and March 21, 2023; the developer certificates of the malicious app was issued on January 10, 2023. During that point, protests have been being held in Gilgit-Baltistan for numerous causes encompassing land rights, taxation considerations, extended energy outages, and a decline in backed wheat provisions. The area, proven within the map in Figure 1, is underneath Pakistan’s administrative governance, consisting of the northern portion of the bigger Kashmir area, which has been the topic of a dispute between India and Pakistan since 1947 and between India and China since 1959.
Overview
Hunza News, possible named after the Hunza District or the Hunza Valley, is a web based newspaper delivering information associated to the Gilgit-Baltistan area.
The area, with a inhabitants of round 1.5 million, is legendary for the presence of a few of the highest mountains globally, internet hosting 5 of the esteemed “eight-thousanders” (mountains that peak at greater than 8,000 meters above sea degree), most notably K2, and is subsequently ceaselessly visited by worldwide vacationers, trekkers, and mountaineers. Because of the protests in spring 2023, and extra ones taking place in September 2023, the US and Canada have issued journey advisories for this area, and Germany prompt vacationers ought to keep knowledgeable in regards to the present state of affairs.
Gilgit-Baltistan can be an essential crossroad due to the Karakoram Highway, the one motorable highway connecting Pakistan and China, because it permits China to facilitate commerce and vitality transit by accessing the Arabian Sea. The Pakistani portion of the freeway is presently being reconstructed and upgraded; the efforts are financed by each Pakistan and China. The freeway is ceaselessly blocked by injury attributable to climate or protests.
The Hunza News web site offers content material in two languages: English and Urdu. Alongside English, Urdu holds nationwide language standing in Pakistan, and in Gilgit-Baltistan, it serves because the frequent or bridge language for interethnic communications. The official area of Hunza News is hunzanews.internet, registered on May 22nd, 2017, and has been constantly publishing on-line articles since then, as evidenced by Internet Archive knowledge for hunzanews.internet.
Prior to 2022, this on-line newspaper additionally used one other area, hunzanews.com, as indicated within the web page transparency data on the positioning’s Facebook web page (see Figure 2) and the Internet Archive information of hunzanews.com, Internet Archive knowledge additionally reveals that hunzanews.com had been delivering information since 2013; subsequently, for round 5 years, this on-line newspaper was publishing articles by way of two web sites: hunzanews.internet and hunzanews.com. This additionally signifies that this on-line newspaper has been lively and gaining on-line readership for over 10 years.
In 2015, hunzanews.com began to offer a reputable Android utility, as proven in Figure 3, which was accessible on the Google Play retailer. Based on accessible knowledge we consider two variations of this app have been launched, with neither containing any malicious performance. The goal of those apps was to current the web site content material to readers in a user-friendly approach.
In the second half of 2022, the brand new web site hunzanews.internet underwent visible updates, together with the elimination of the choice to obtain the Android app from Google Play. Additionally, the official app was taken down from the Google Play retailer, possible attributable to its incompatibility with the most recent Android working methods.
For a couple of weeks, from at the least December 2022 till January 7th, 2023, the web site supplied no choice to obtain the official cell app, as proven in Figure 4.
Based on Internet Archive information, it’s evident that at the least since March 21st, 2023, the web site reintroduced the choice for customers to obtain an Android app, accessible by way of the DOWNLOAD APP button, as depicted in Figure 5. There isn’t any knowledge for the interval between January 7th and March 21st, 2023, which might assist us pinpoint the precise date of the app’s reappearance on the web site.
When analyzing a number of variations of the web site, we got here throughout one thing attention-grabbing: viewing the web site in a desktop browser in both language model of Hunza News – English (hunzanews.internet) or Urdu (urdu.hunzanews.internet) – prominently shows the DOWNLOAD APP button on the prime of the webpage. The downloaded app is a local Android utility which can’t be put in on a desktop machine and compromise it.
However, on a cell system, this button is completely seen on the Urdu language variant (urdu.hunzanews.internet), as proven in Figure 6.
With a excessive diploma of confidence, we are able to affirm that the malicious app is particularly focused at Urdu-speaking customers who entry the web site by way of an Android system. The malicious app has been accessible on the web site for the reason that first quarter of 2023.
Clicking on the DOWNLOAD APP button triggers a obtain from https://hunzanews[.]net/wp-content/uploads/apk/app-release.apk. As this malicious app has by no means been supplied by way of the Google Play retailer and is downloaded from a third-party website to put in this app, the consumer is requested to allow the non-default, Android possibility to put in apps from unknown sources.
The malicious app, known as Hunza News, is beforehand unknown spy ware that we named Kamran and that’s analyzed within the Kamran part beneath.
ESET Research reached out to Hunza News relating to Kamran. Before the publication of our blogpost we didn’t obtain any type of suggestions or response from the web site’s facet.
Victimology
Based on the findings from our analysis, we have been capable of determine at the least 22 compromised smartphones, with 5 of them being positioned in Pakistan.
Kamran
Kamran is beforehand undocumented Android spy ware characterised by its distinctive code composition, distinct from different, identified spy ware. ESET detects this spy ware as Android/Spy.Kamran.
We recognized just one model of a malicious app containing Kamran, which is the one accessible to obtain from the Hunza News web site. As defined within the Overview part, we’re unable to specify the precise date on which the app was positioned on the Hunza News web site. However, the related developer certificates (SHA-1 fingerprint: DCC1A353A178ABF4F441A5587E15644A388C9D9C), used to signal the Android app, was issued on January 10th, 2023. This date offers a ground for the earliest time that the malicious app was constructed.
In distinction, reputable purposes from Hunza News that have been previously accessible on Google Play have been signed with a distinct developer certificates (SHA-1 fingerprint: BC2B7C4DF3B895BE4C7378D056792664FCEEC591). These clear and legit apps exhibit no code similarities with the recognized malicious app.
Upon launching, Kamran prompts the consumer to grant permissions for accessing numerous knowledge saved on the sufferer’s system, comparable to contacts, calendar occasions, name logs, location data, system information, SMS messages, and pictures. It additionally presents a consumer interface window, providing choices to go to Hunza News social media accounts, and to pick both the English or Urdu language for loading the contents of hunzanews.internet, as proven in Figure 7.
If the abovementioned permissions are granted, the Kamran spy ware robotically gathers delicate consumer knowledge, together with:
- SMS messages
- contacts record
- name logs
- calendar occasions
- system location
- record of put in apps
- acquired SMS messages
- system information
- photos
Interestingly, Kamran identifies accessible picture information on the system (as depicted in Figure 8), obtains the file paths for these photos, and shops this knowledge in an images_db database, as demonstrated in Figure 9. This database is saved within the malware’s inner storage.
All varieties of knowledge, together with the picture information, are uploaded to a hardcoded command and management (C&C) server. Interestingly, the operators opted to make the most of Firebase, an internet platform, as their C&C server: https://[REDACTED].firebaseio[.]com. The C&C server was reported to Google, because the platform is supplied by this expertise firm.
It is essential to notice that the malware lacks distant management capabilities. As a end result, consumer knowledge is exfiltrated by way of HTTPS to the Firebase C&C server solely when the consumer opens the app; knowledge exfiltration can not run within the background when the app is closed. Kamran has no mechanism monitoring what knowledge has been exfiltrated, so it repeatedly sends the identical knowledge, plus any new knowledge assembly its search standards, to its C&C.
Conclusion
Kamran is beforehand unknown Android spy ware concentrating on Urdu-speaking folks within the Gilgit-Baltistan area. Our analysis signifies that the malicious app containing Kamran has been distributed since at the least 2023 by way of what in all probability is a watering-hole assault on an area, on-line newspaper named Hunza News.
Kamran demonstrates a singular codebase distinct from different Android spy ware, stopping its attribution to any identified superior persistent menace (APT) group.
This analysis additionally reveals that you will need to reiterate the importance of downloading apps completely from trusted and official sources.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research presents non-public APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.
IoCs
Files
|
SHA-1 |
Package identify |
Detection |
Description |
|
0F0259F288141EDBE4AB2B8032911C69E03817D2 |
com.kamran.hunzanews |
Android/Spy.Kamran.A |
Kamran spy ware. |
Network
|
IP |
Domain |
Hosting supplier |
First seen |
Details |
|
34.120.160[.]131 |
[REDACTED].firebaseio[.]com |
Google LLC |
2023-07-26 |
C&C server. |
|
191.101.13[.]235 |
hunzanews[.]internet |
Domain.com, LLC |
2017-05-22 |
Distribution web site. |
MITRE ATT&CK methods
This desk was constructed utilizing model 13 of the MITRE ATT&CK framework.
|
Tactic |
ID |
Name |
Description |
|
Discovery |
Software Discovery |
Kamran spy ware can receive an inventory of put in purposes. |
|
|
File and Directory Discovery |
Kamran spy ware can record picture information on exterior storage. |
||
|
System Information Discovery |
Kamran spy ware can extract details about the system, together with system mannequin, OS model, and customary system data. |
||
|
Collection |
Data from Local System |
Kamran spy ware can exfiltrate picture information from a tool. |
|
|
Location Tracking |
Kamran spy ware tracks system location. |
||
|
Protected User Data: Calendar Entries |
Kamran spy ware can extract calendar entries. |
||
|
Protected User Data: Call Logs |
Kamran spy ware can extract name logs. |
||
|
Protected User Data: Contact List |
Kamran spy ware can extract the system’s contact record. |
||
|
Protected User Data: SMS Messages |
Kamran spy ware can extract SMS messages and intercept acquired SMS. |
||
|
Command and Control |
Application Layer Protocol: Web Protocols |
Kamran spy ware makes use of HTTPS to speak with its C&C server. |
|
|
Web Service: One-Way Communication |
Kamran makes use of Google’s Firebase server as its C&C server. |
||
|
Exfiltration |
Exfiltration Over C2 Channel |
Kamran spy ware exfiltrates knowledge utilizing HTTPS. |
