Cybersecurity researchers, SophosLabs by Sophos, have found five trojanized versions of legitimate Android apps that carry out covert surveillance and espionage targeting users in Pakistan.
According to the analyst at SophosLabs , it is created to disguise applications such as the Pakistan Citizen Portal, Pakistan Salat Time, Mobile Packages Pakistan, Registered SIMs Checker, and TPL Insurance, the malicious variants have been found to obfuscate their operations to stealthily download a payload in the form of an Android Dalvik executable (DEX) file.
“The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages,” Sophos threat researchers Pankaj Kohli and Andrew Brandt said. “The app then sends this information to one of a small number of command-and-control websites hosted on servers located in Eastern Europe.”
Besides the above-mentioned applications, Sophos researchers also discovered a separate app called Pakistan Chat that didn’t have a benign analog distributed via the Google Play Store. But the app was found to leverage the API of a legitimate chat service called ChatGum.
“The spying and covert surveillance capability of these modified Android apps highlight the dangers of spyware to smartphone users everywhere,” Pankaj Kohli said. “Cyber-adversaries target mobiles not just to get their hands on sensitive and personal information, but because they offer a real-time window into people’s lives, their physical location, movements, and even live conversations taking place within listening range of the infected phone.”
Some of these apps might also gain permission to make phone calls and send text messages which may cost you money.
If anything, the development is yet another reason why users need to stick to trusted sources to download third-party apps, verify if an app is indeed built by a genuine developer, and carefully scrutinize app permissions before installation.