Urdu-speaking readers of a regional news website that caters to the Gilgit-Baltistan region have likely emerged as a target of a watering hole attack designed to deliver a previously undocumented Android spyware dubbed Kamran.
The campaign, ESET has discovered, leverages Hunza News (urdu.hunzanews[.]net), which, when opened on a mobile device, prompts visitors of the Urdu version to install its Android app directly hosted on the website.
The app, however, incorporates malicious espionage capabilities, with the attack compromising at least 20 mobile devices to date. It has been available on the website since sometime between January 7, and March 21, 2023, around when massive protests were held in the region over land rights, taxation, and extensive power cuts.
The malware, activated upon package installation, requests for intrusive permissions, allowing it to harvest sensitive information from the devices.
This includes contacts, call logs, calendar events, location information, files, SMS messages, photos, list of installed apps, and device metadata. The collected data is subsequently uploaded to a command-and-control (C2) server hosted on Firebase.
Kamran lacks remote control capabilities and is also simplistic by design, carrying out its exfiltration activities only when the victim opens the app and lacking in provisions to keep track of the data that has already been transmitted.
This means that it repeatedly sends the same information, along with any new data meeting its search criteria, to the C2 server. Kamran has yet to be attributed to any known threat actor or group.
"As this malicious app has never been offered through the Google Play store and is downloaded from an unidentified source referred to as unknown by Google, to install this app, the user is requested to enable the option to install apps from unknown sources," security researcher Lukáš Štefanko said.
A Google spokesperson told The Hacker News that "Users are also protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services, even when apps come from sources outside of Google Play.”
