Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan

UPDATE (November 13th, 2023): The website has removed the “DOWNLOAD APP” button, although the malicious app is still hosted on its servers.

ESET researchers have identified what appears to be a watering-hole attack on a regional news website that delivers news about Gilgit-Baltistan, a disputed region administered by Pakistan. When opened on a mobile device, the Urdu version of the Hunza News website offers readers the possibility to download the Hunza News Android app directly from the website, but the app has malicious espionage capabilities. We named this previously unknown spyware Kamran because of its package name com.kamran.hunzanews. Kamran is a common given name in Pakistan and other Urdu-speaking regions; in Farsi, which is spoken by some minorities in Gilgit-Baltistan, it means fortunate or lucky.

The Hunza News website has English and Urdu versions; the English mobile version doesn’t provide any app for download. However, the Urdu version on mobile offers to download the Android spyware. It is worth mentioning that both English and Urdu desktop versions also offer the Android spyware; although, it is not compatible with desktop operating systems. We reached out to the website concerning the Android malware. However, prior to the publication of our blogpost, we did not receive any response.

Key points of the report:

  • Android spyware, which we named Kamran, has been distributed via a possible watering-hole attack on the Hunza News website.
  • The malware targets only Urdu-speaking users in Gilgit-Baltistan, a region administered by Pakistan.
  • The Kamran spyware displays the content of the Hunza News website and contains custom malicious code.
  • Our research shows that at least 20 mobile devices were compromised.

Upon launching, the malicious app prompts the user to grant it permissions to access various data. If accepted, it gathers data about contacts, calendar events, call logs, location information, device files, SMS messages, images, etc. As this malicious app has never been offered through the Google Play store and is downloaded from an unidentified source referred to as Unknown by Google, to install this app, the user is requested to enable the option to install apps from unknown sources.

The malicious app appeared on the website sometime between January 7th, 2023, and March 21st, 2023; the developer certificate of the malicious app was issued on January 10, 2023. During that time, protests were being held in Gilgit-Baltistan for various reasons encompassing land rights, taxation concerns, prolonged power outages, and a decline in subsidized wheat provisions. The region, shown in the map in Figure 1, is under Pakistan’s administrative governance, consisting of the northern portion of the larger Kashmir region, which has been the subject of a dispute between India and Pakistan since 1947 and between India and China since 1959.

Figure 1 The Gilgit-Baltistan region
Figure 1. The Gilgit-Baltistan region

Overview

Hunza News, likely named after the Hunza District or the Hunza Valley, is an online newspaper delivering news related to the Gilgit-Baltistan region.

The region, with a population of around 1.5 million, is famous for the presence of some of the highest mountains globally, hosting five of the esteemed “eight-thousanders” (mountains that peak at more than 8,000 meters above sea level), most notably K2, and is therefore frequently visited by international tourists, trekkers, and mountaineers. Because of the protests in spring 2023, and additional ones happening in September 2023, the US and Canada have issued travel advisories for this region, and Germany suggested tourists should stay informed about the current situation.

Gilgit-Baltistan is also an important crossroad because of the Karakoram Highway, the only motorable road connecting Pakistan and China, as it allows China to facilitate trade and energy transit by accessing the Arabian Sea. The Pakistani portion of the highway is currently being reconstructed and upgraded; the efforts are financed by both Pakistan and China. The highway is frequently blocked by damage caused by weather or protests.

The Hunza News website provides content in two languages: English and Urdu. Alongside English, Urdu holds national language status in Pakistan, and in Gilgit-Baltistan, it serves as the common or bridge language for interethnic communications. The official domain of Hunza News is hunzanews.net, registered on May 22nd, 2017, and has been consistently publishing online articles since then, as evidenced by Internet Archive data for hunzanews.net.

Prior to 2022, this online newspaper also used another domain, hunzanews.com, as indicated in the page transparency information on the site’s Facebook page (see Figure 2) and the Internet Archive records of hunzanews.com, Internet Archive data also shows that hunzanews.com had been delivering news since 2013; therefore, for around five years, this online newspaper was publishing articles via two websites: hunzanews.net and hunzanews.com. This also means that this online newspaper has been active and gaining online readership for over 10 years.

Figure 2 Date of HunzaNews Facebook page creation
Figure 2. Date of HunzaNews Facebook page creation referencing previous domain

In 2015, hunzanews.com started to provide a legitimate Android application, as shown in Figure 3, which was available on the Google Play store. Based on available data we believe two versions of this app were released, with neither containing any malicious functionality. The purpose of these apps was to present the website content to readers in a user-friendly way.

Figure 3 Web archive hunzanews com
Figure 3. Web archive of hunzanews.com displaying the option to download its official Android app

In the second half of 2022, the new website hunzanews.net underwent visual updates, including the removal of the option to download the Android app from Google Play. Additionally, the official app was taken down from the Google Play store, likely due to its incompatibility with the latest Android operating systems.

For a few weeks, from at least December 2022 until January 7th, 2023, the website provided no option to download the official mobile app, as shown in Figure 4.

Figure 4 Hunza News redesign no option download app
Figure 4. Hunza News after redesign with no option to download an app

Based on Internet Archive records, it is evident that at least since March 21st, 2023, the website reintroduced the option for users to download an Android app, accessible via the DOWNLOAD APP button, as depicted in Figure 5. There is no data for the period between January 7th and March 21st, 2023, which could help us pinpoint the exact date of the app’s reappearance on the website.

Figure 5 Hunza News website option download app restored
Figure 5. The Hunza News website with the option to download an app restored

When analyzing several versions of the website, we came across something interesting: viewing the website in a desktop browser in either language version of Hunza News – English (hunzanews.net) or Urdu (urdu.hunzanews.net) – prominently displays the DOWNLOAD APP button at the top of the webpage. The downloaded app is a native Android application which cannot be installed on a desktop machine and compromise it.

However, on a mobile device, this button is exclusively visible on the Urdu language variant (urdu.hunzanews.net), as shown in Figure 6.

With a high degree of confidence, we can affirm that the malicious app is specifically targeted at Urdu-speaking users who access the website via an Android device. The malicious app has been available on the website since the first quarter of 2023.

Figure 6 English (left) and Urdu (right) version Hunza News
Figure 6. English (left) and Urdu (right) version of Hunza News shown on a mobile device

Clicking on the DOWNLOAD APP button triggers a download from https://hunzanews[.]net/wp-content/uploads/apk/app-release.apk. As this malicious app has never been offered through the Google Play store and is downloaded from a third-party site to install this app, the user is requested to enable the non-default, Android option to install apps from unknown sources.

The malicious app, called Hunza News, is previously unknown spyware that we named Kamran and that is analyzed in the Kamran section below.

ESET Research reached out to Hunza News regarding Kamran. Before the publication of our blogpost we did not receive any form of feedback or response from the website’s side.

Victimology

Based on the findings from our research, we were able to identify at least 22 compromised smartphones, with five of them being located in Pakistan.

Kamran

Kamran is previously undocumented Android spyware characterized by its unique code composition, distinct from other, known spyware. ESET detects this spyware as Android/Spy.Kamran.

We identified only one version of a malicious app containing Kamran, which is the one available to download from the Hunza News website. As explained in the Overview section, we are unable to specify the exact date on which the app was placed on the Hunza News website. However, the associated developer certificate (SHA-1 fingerprint: DCC1A353A178ABF4F441A5587E15644A388C9D9C), used to sign the Android app, was issued on January 10th, 2023. This date provides a floor for the earliest time that the malicious app was built.

In contrast, legitimate applications from Hunza News that were formerly available on Google Play were signed with a different developer certificate (SHA-1 fingerprint: BC2B7C4DF3B895BE4C7378D056792664FCEEC591). These clean and legitimate apps exhibit no code similarities with the identified malicious app.

Upon launching, Kamran prompts the user to grant permissions for accessing various data stored on the victim’s device, such as contacts, calendar events, call logs, location information, device files, SMS messages, and images. It also presents a user interface window, offering options to visit Hunza News social media accounts, and to select either the English or Urdu language for loading the contents of hunzanews.net, as shown in Figure 7.

Figure 7 Malicious app initial interface
Figure 7. Malicious app’s initial interface

If the abovementioned permissions are granted, the Kamran spyware automatically gathers sensitive user data, including:

  • SMS messages
  • contacts list
  • call logs
  • calendar events
  • device location
  • list of installed apps
  • received SMS messages
  • device info
  • images

Interestingly, Kamran identifies accessible image files on the device (as depicted in Figure 8), obtains the file paths for these images, and stores this data in an images_db database, as demonstrated in Figure 9. This database is stored in the malware’s internal storage.

Figure 8 Code obtaining image file paths
Figure 8. Code responsible for obtaining image file paths
Figure 9 List images exfiltrate
Figure 9. List of images to exfiltrate

All types of data, including the image files, are uploaded to a hardcoded command and control (C&C) server. Interestingly, the operators opted to utilize Firebase, a web platform, as their C&C server: https://[REDACTED].firebaseio[.]com. The C&C server was reported to Google, as the platform is provided by this technology company.

It is important to note that the malware lacks remote control capabilities. As a result, user data is exfiltrated via HTTPS to the Firebase C&C server only when the user opens the app; data exfiltration cannot run in the background when the app is closed. Kamran has no mechanism tracking what data has been exfiltrated, so it repeatedly sends the same data, plus any new data meeting its search criteria, to its C&C.

Conclusion

Kamran is previously unknown Android spyware targeting Urdu-speaking people in the Gilgit-Baltistan region. Our research indicates that the malicious app containing Kamran has been distributed since at least 2023 via what probably is a watering-hole attack on a local, online newspaper named Hunza News.

Kamran demonstrates a unique codebase distinct from other Android spyware, preventing its attribution to any known advanced persistent threat (APT) group.

This research also shows that it is important to reiterate the significance of downloading apps exclusively from trusted and official sources.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

SHA-1

Package name

Detection

Description

0F0259F288141EDBE4AB2B8032911C69E03817D2

com.kamran.hunzanews

Android/Spy.Kamran.A

Kamran spyware.

Network

IP

Domain

Hosting provider

First seen

Details

34.120.160[.]131

[REDACTED].firebaseio[.]com

Google LLC

2023-07-26

C&C server.

191.101.13[.]235

hunzanews[.]net

Domain.com, LLC

2017-05-22

Distribution website.

MITRE ATT&CK techniques

This table was built using version 13 of the MITRE ATT&CK framework.

Tactic

ID

Name

Description

Discovery

T1418

Software Discovery

Kamran spyware can obtain a list of installed applications.

T1420

File and Directory Discovery

Kamran spyware can list image files on external storage.

T1426

System Information Discovery

Kamran spyware can extract information about the device, including device model, OS version, and common system information.

Collection

T1533

Data from Local System

Kamran spyware can exfiltrate image files from a device.

T1430

Location Tracking

Kamran spyware tracks device location.

T1636.001

Protected User Data: Calendar Entries

Kamran spyware can extract calendar entries.

T1636.002

Protected User Data: Call Logs

Kamran spyware can extract call logs.

T1636.003

Protected User Data: Contact List

Kamran spyware can extract the device’s contact list.

T1636.004

Protected User Data: SMS Messages

Kamran spyware can extract SMS messages and intercept received SMS.

Command and Control

T1437.001

Application Layer Protocol: Web Protocols

Kamran spyware uses HTTPS to communicate with its C&C server.

T1481.003

Web Service: One-Way Communication

Kamran uses Google’s Firebase server as its C&C server.

Exfiltration

T1646

Exfiltration Over C2 Channel

Kamran spyware exfiltrates data using HTTPS.

Source: Original Post


“An interesting youtube video that may be related to the article above”