Facebook: Pakistani hackers operated a fake app store to target former Afghan officials

A group of Pakistani hackers has created and operated a fake Android app store in order to target and infect individuals connected to the former Afghanistan government prior to and during its fall to the new Taliban regime.

The hacking campaign took place between April and August this year and was carried out by a group known as SideCopy, Facebook's security team said in a report published today.

Facebook security researchers said SideCopy operators created fake profiles on its platform, typically posing as young women, and approached targets with the goal of getting them to click on malicious links.

These links redirected victims to phishing sites that collected login credentials or, in some cases, to fake app stores hosting malware-infected Android apps.


Facebook said SideCopy typically used malicious apps that posed as chat messaging apps. They either mimicked known brands such as Viber and Signal or posed as new chat apps altogether.

"Among them were apps named HappyChat, HangOn, ChatOut, TrendBanter, SmartSnap, and TeleChat — some of which were in fact functioning chat applications," said Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption.

These Android apps included remote access trojans. Some apps contained a strain called PJobRAT, while others contained a previously unreported Android malware strain Facebook named Mayhem.

The two malware strains allowed SideCopy operators full control over the infected devices, the social network's security team explained.

Facebook also disrupts three hacking groups in Syria

In addition, Facebook said it also disrupted in October three additional hacking groups that were operating in Syria.

With links to the Syrian government, these groups primarily targeted individuals and activists opposing the Assad regime:

  • Syrian Electronic Army - targeted human rights activists, journalists and other groups opposing the ruling regime.
  • APT-C-37 - targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces
  • Unnamed group - targeted minority groups, activists, opposition, Kurdish journalists, activists, members of the People's Protection Units (YPG), and Syria Civil Defense or White Helmets, a volunteer-based humanitarian organization.

Facebook formally linked the activities of the first two groups to two separate units inside Syria's Air Force Intelligence Directorate, the country's most important intelligence service.

This marks the second time that Facebook has formally attributed and linked a hacking group operating on its platform to a real-world entity.

The first time was in December 2020 when Facebook linked APT32, a hacking group spying on behalf of the Vietnamese government, to a local company named CyberOne Group.

To disrupt the activities of the Pakistani and Syrian hacking groups, Facebook said it disabled their accounts, blocked their domains from being posted on its sites, notified users that they were targeted, and shared information about the attacks with law enforcement and other security researchers.

Previously, Facebook also disrupted the operations of other state-sponsored hacking groups operating out of IranPalestine, and China.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.