Android spyware delivered through infected news site targets Urdu speakers in Kashmir

Hackers are targeting Urdu speakers with spyware delivered through an infected popular news site, according to a new report.

Researchers from cybersecurity firm ESET said they discovered a brand of Android spyware called Kamran that is allegedly being distributed through a so-called watering hole attack involving a compromised news website called Hunza News.

Watering hole attacks are when hackers target specific people by infecting websites that they typically visit. ESET said the targets of the spyware appear to be Urdu-speaking residents of Gilgit-Baltistan, which is part of the disputed Kashmir region administered by Pakistan.

“With a high degree of confidence, we can affirm that the malicious app specifically targeted Urdu-speaking users, who accessed the website via Android devices. However, since Kamran demonstrates a unique codebase, distinct from other Android spyware, this prevents its attribution to any known advanced persistent threat – APT – group,” ESET researcher Lukáš Štefanko said.

“This spyware shows once again that it is important to reiterate the importance of downloading apps exclusively from trusted and official sources,” he added.

Štefanko discovered the Kamran spyware and said it allows the hacker to access a victim’s contacts, calendar, call logs, location information, device files, SMS messages and images.

Hunza News is a regional news website that covers Gilgit-Baltistan — a heavily disrupted region that has seen longstanding territorial disputes between India, Pakistan and China.

ESET said that when someone opens the Urdu version of the news site on their mobile device, they are asked to download the “Hunza News Android app” directly from the website. But the app, according to ESET, is infected with Kamran, which was previously unknown.

ESET called it Kamran because the file name they found on the spyware is “com.kamran.hunzanews.” ESET researchers noted that the desktop apps for the news site in English and Urdu were also infected with the Android spyware.

The spyware displays stories from Hunza News website but when launched, it asks users to grant wide-ranging permissions to the victim’s device. The data stolen from the device is uploaded to a server that ESET reported to Google.

The researchers said they contacted Hunza News about the issue with their apps but never got a response. The news outlet has existed since 2013, deriving its name either from Hunza District or Hunza Valley. The news site began offering its Android app in 2015 through the Google Play Store.

The researchers noted that the malicious app is not offered through the Google Play Store and is downloaded from a source labeled “Unknown.”

“To install this app, the user is requested to enable the option to install apps from unknown sources. ESET was able to identify at least 22 compromised smartphones, with five of them being located in Pakistan,” the researchers said.

The malicious app began appearing on the website at some point between January 7 and March 21, with the developer certificate of the app being issued on January 10.

ESET noted that during this period, there were several protests in Gilgit-Baltistan over local issues like power outages and wheat costs.