HQ/EMEAFind out how we can help your business
A malicious threat group has used a malicious APK package to target Indian defence personnel with Android devices. The package contains a decoy copy of a promotion letter to lure the targeted employees.
Once the victim is baited by the compromised APK and installs it, the app will appear as an Adobe Reader app icon on the infected device. After installation, the app will request multiple permissions from the target’s device, such as access to the camera, internet, storage, and microphone.
Moreover, a researcher revealed that the operators of the APK package utilise a Spymax RAT strain. This remote access trojan is a tool whose source code is already accessible to hacker forums and the underground market.
The Spymax malware provides different Android package builds. One of these builds has a web view feature that enables its operators to inject any web link into the web view module.
If a victim successfully installs the hostile APK, it will disguise itself as an authentic-looking Android application on the device.
The operators of the malicious APK package used WhatsApp as a vector for its targets.
Based on reports, the malicious APK package operators used a Google Drive link that points to a PDF that includes a list of Indian defence employees who were awarded promotions. In addition, the link that contains the fake advertisements was shared through the messenger platform WhatsApp.
Indian cybersecurity experts believe that the culprits behind these attacks are nation-backed hackers as they are attempting to exfiltrate critical information from the defence sector. However, the researchers could not specify which state-sponsored threat group operates this attack due to a lack of findings.
Other experts believe that the geopolitical situation in the South Asian region has played a massive role in these cybersecurity attacks since numerous attacks from its neighbours have consistently bombarded India.
In a related incident, another Indian entity was also breached this month after a data leak website revealed that someone infiltrated the Swachata Platform and managed to steal approximately 16 million user data.
