Kamran spyware targets mobile devices in Gilgit-Baltistan

A targeted watering hole attack that uses the stealthy Kamran spyware targets Urdu-speaking users to access a popular regional news website catering to the Gilgit-Baltistan region.

Based on reports, this campaign employs this previously undocumented Android spyware to compromise the security of mobile devices. Moreover, this new campaign focuses on the Urdu version of the Hunza News website (urdu.hunzanews[.]net).

The attack will instruct the users who visit this site on their mobile devices to install an Android application directly from the website. However, the seemingly harmless app contains malicious intent since it stores the Kamran spyware.

As of now, there are at least 20 confirmed mobile devices that have already fallen victim to the attack between January 7 and March 21, 2023. On the other hand, some researchers explained that this campaign coincidentally matches widespread protests in the region over land rights, taxation, and persistent power cuts.

 

The Kamran spyware could execute its abilities by acquiring critical permissions.

 

After the Kamran spyware installation, it can activate its espionage capabilities by requesting intrusive permissions.

These privileges could allow it to extract sensitive information from compromised devices, including contacts, call logs, calendar events, location data, files, SMS messages, photos, a list of installed apps, and device metadata. Subsequently, the campaign will exfiltrate the collected data to an attacker-controlled command-and-control (C2) server hosted on Firebase.

However, the Kamran spyware lacks remote control capabilities and a straightforward design. The spyware sends the same information repeatedly to the command-and-control server whenever the victim opens the app, without any mechanism to track previously transmitted data.

Surprisingly, Kamran’s origin remains a mystery since no known threat actor or group claims responsibility for its development.

Security researchers emphasised that Kamran is not available on the Google Play store since it only requires its users to enable the installation of apps from unknown sources. This stealthy distribution method further underscores the discreet nature of the spyware.

The new Kamran spyware shows that threat actors continue to upgrade their tactics to compromise the privacy and security of unsuspecting users in specific regions. Urdu-speaking individuals in Gilgit-Baltistan should remain vigilant and cautious when accessing online content to safeguard against the new Kamran spyware.