Cybersecurity researchers took the wraps off a new spyware operation targeting users in Pakistan that leverages trojanized versions of legitimate Android apps to carry out covert surveillance and espionage.
Designed to masquerade apps such as the Pakistan Citizen Portal, a Muslim prayer-clock app called Pakistan Salat Time, Mobile Packages Pakistan, Registered SIMs Checker, and TPL Insurance, the malicious variants have been found to obfuscate their operations to stealthily download a payload in the form of an Android Dalvik executable (DEX) file.
“The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages,” Sophos threat researchers Pankaj Kohli and Andrew Brandt said.
“The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe.”
Interestingly, the fake website of the Pakistan Citizen Portal was also prominently displayed in the form of a static image on the Trading Corporation of Pakistan (TCP) website, potentially in an attempt to lure unsuspecting users into…