A private threat intelligence company, SophosLabs has exposed some malicious android apps stealing data mainly from the people of Pakistan. These apps are the clones of already popular ones among the citizens but contain a serious Trojan horse virus. Although they work normally like their original counterpart but due to the embedded virus, they get some extra features. Reportedly, the purpose of these added features is to spy on people.
The company has also exposed the difference between the original and trojanized ones. Usually the hacker app will ask for odd permissions in order to invade privacy.
Android Apps Stealing Data Secretly from Pakistani Citizens
According to the investigation, these clone versions are designed to survey the phone and collect payload in Dalvik Executable (.dex) format. This payload contains user’s contact list and complete SMS messages. The contaminated app send this information to small command-and-control websites on servers in Eastern Europe.
The stolen user data might include passport details, Computerized National Identity Card (CNIC) numbers, social media account details, and information about other affiliated accounts.
Pakistani Citizens Under Mass Surveillance
These android apps stealing data from users are not really famous. However, a clone of one high-profile app raised a loud alarm. According to SophosLab, Pakistan Citizen Portal, which is a public complaint registering system published by the government, is also trojanized.
According to the virus database records, the website https://pmdu.info/ was hosting some malware samples of the new Trojan virus. This webpage imitated the Government’s page on Google Play Store where the clean version was. Besides few imperfections, the page exactly looked like the original one but provided links for downloading the trojanized version of Pakistan Citizen Portal app.
However, there were some minor mistakes in the web design, which can be noted by keen eyed observer. Unfortunately, for an average Pakistani it might look authentic, which is why it is dangerous and must be dealt with immediately.
Government department PMDU (Prime Minister’s Delivery Unit) created this app in 2019 but its real domain name falls under .gov.pk, which is a proper zone for Pakistani government websites. On the other hand, the malicious site was hosted on the IP address 126.96.36.199, which geo-locates to somewhere in Netherlands (Holland).
Where is The Data Going?
The intelligence company might have also stumbled upon the culprit responsible for stealing data from users. While digging around, they found that another government website of Trading Corporation Of Pakistan (TCP) also mentioned the text of fake Pakistan Citizen Portal website on its banner.
The link was not clickable so it was not clear why hackers added the bogus link on TCP page. On 10th January, the Sophos noted that the entire TCP page was replaced with a single line of text saying: “Hacked by 9bandz”. The research company shared the image how the official webpage of state-run TCP looked at that moment:
This led to further research and the agency found that at least 93 websites have been defaced by this username. In one forum, a similar username was seen selling government web shells with full access to all files on 10th December.
Researches in their report opine that due to insufficient evidence, it cannot be said that it was the same hacker(s) who were extracting critical information from Pakistani users. However, the possibility of correlation couldn’t be ruled out.
Serious Attention Needed On This Development
Currently, the service has revealed 5 different android apps stealing data from Pakistan. They identified a minor spelling mistake in the copyright statement of Pakistan citizen Portal clone. This can hint that the websites might contain virus to spy on whoever downloads it. Apart from Pakistan Citizens Portal, TPL Insurance, Pakistan Salat Time, Mobile Packages Pakistan, are Registered SIMs Checker also have malicious copy-cats on the internet. The intelligence service did not confirm whether the developers of original apps already knew about the contaminated versions of their apps. It also did not confirm any response from Pakistani government on this information.
Always Download From Trusted Sources
The researchers at SophosLab advised to refrain from downloading apps from dodgy websites. The clean versions are available at Google Play Store, which is a widely recommended platform to download android apps. Malicious android apps stealing data from users are mostly on independent websites. On Google Play Store, developers place the link to their official website, which can be checked to verify the desired app is from a trusted developer.