Urdu-speaking readers of a regional information web site that caters to the Gilgit-Baltistan area have possible emerged as a goal of a watering gap assault designed to ship a beforehand undocumented Android adware dubbed Kamran.
The marketing campaign, ESET has found, leverages Hunza Information (urdu.hunzanews[.]web), which, when opened on a cellular system, prompts guests of the Urdu model to put in its Android app straight hosted on the web site.
The app, nonetheless, incorporates malicious espionage capabilities, with the assault compromising at the least 20 cellular units thus far. It has been out there on the web site since someday between January 7, and March 21, 2023, round when huge protests had been held within the area over land rights, taxation, and intensive energy cuts.
The malware, activated upon bundle set up, requests for intrusive permissions, permitting it to reap delicate info from the units.
This contains contacts, name logs, calendar occasions, location info, information, SMS messages, pictures, listing of put in apps, and system metadata. The collected knowledge is subsequently uploaded to a command-and-control (C2) server hosted on Firebase.
Kamran lacks distant management capabilities and can be simplistic by design, finishing up its exfiltration actions solely when the sufferer opens the app and missing in provisions to maintain monitor of the info that has already been transmitted.
Which means it repeatedly sends the identical info, together with any new knowledge assembly its search standards, to the C2 server. Kamran has but to be attributed to any identified menace actor or group.
“As this malicious app has by no means been supplied by way of the Google Play retailer and is downloaded from an unidentified supply known as unknown by Google, to put in this app, the person is requested to allow the choice to put in apps from unknown sources,” security researcher Lukáš Štefanko stated.
