Designed to spread a new and previously unknown Android spyware called Kamran, this malware he attacked some Urdu-speaking readers of a regional news website dedicated to the Gilgit-Baltistan region were targeted from an attack of type “watering hole“.
Eset’s findings on the Kamran malware
Countryside, discovery from ESET, use the Hunza News site (urdu.hunzanews[.]net), which, when opened on a mobile device, asks visitors to the Urdu version to directly install the Android app hosted on the website (although not explicitly stated by Eset, it is possible they exploited a flaw in Android System Webview).
However, the application incorporates malicious spying features, with the attack compromising at least 20 mobile devices to date. It is available on the website from the period between 7 January and 21 March 2023, the period in which the protests on a large scale in the region regarding land rights, taxation and severe power outages.
The malware, activated during package installation, requires intrusive permissions, allowing sensitive information to be collected from devices; these abusive permissions include contacts, call logs, calendar events, location information, files, SMS messages, photos, list of installed applications and device metadata, to put it simply the collected data is then uploaded to a command and control (C2) server hosted on Firebase.
Kamran has no remote control features and is also simple in designcarrying out its exfiltration activities only when the victim opens the app and does not have the ability to track data that has already been transmitted.
This means that sends the same information repeatedlyalong with any new data that meets your search criteria, to the C2 server; Kamran has not yet been attributed to any known perpetrator or group in the cyber threat world.
“As this malicious app was never offered via the Google Play Store and is downloaded from an unidentified source defined as unknown by Googleto install this app, the user is asked to enable the option to install apps from unknown sources [pratica piuttosto usuale, tra l’altro, per molte tipologie di software, anche sicuro]“, said security researcher Lukáš Štefanko.
Origin of the name Kamran
Just for information, Kamran is a given name of a male person which means “luck”, “success” or even “happiness”, which is terribly ironic given the purpose of this cyber threat.
This attack on Urdu-speaking readers of the regional website Hunza News represents a serious warning about the growing threat of cybercriminals targeting unwitting users for malicious purposes; and the use of this new spyware highlights the importance of being cautious when browsing the Internet and of Check carefully before downloading applications from unverified sources.
Cyber security is a priority, and users should always install apps only from trusted sources like the Google Play Store and make sure you have the latest security patches; at the same time, organizations and authorities must work to identify and counter these emerging digital threats to protect the privacy and security of citizens.
Maintaining a high focus on cybersecurity and collaboration between industry experts is essential to address the challenges posed by such attacks; staying informed and vigilant is the first step towards safe navigation in an increasingly digitally connected world.
#Kamran #Android #malware #discovered #Middle #East