For your lunchtime* long read this afternoon, I'd like to point you to some work I'm quite proud of that was published today.

SophosLabs found what we now suspect may be an APT Android malware targeting people with a connection to Pakistan.
*in N America
news.sophos.com/en-us/2021/01/…
So I'm sure you're thinking like, hey, it's Pakistan, why should I care?

Let's get to the core of the problem with this question:

- nobody deserves to be hit with very intrusive surveillance
- Pakistan is a nuclear-armed nation in tense relationships with its neighbors
Here's the other problem with minimizing this because "this was just an attack on [not my country]"

The malware didn't actually care where you were located; All it wanted was every last piece of sensitive or personal data from the infected phone.

I ran it from the US.
Then there was the way the malware and its associated websites were thematically connected.

One of the malicious apps was called Pakistan Chat. The C2 for that malware was pakchat[.]online.

One was a fake version of "TPL Insurance." C2: tplinsurance[.]xyz

Not a coincidence.
The most OPSEC effort seems to have gone into the app for the Pakistan Citizen Portal. That's the Pakistani government's (legitimate, official) "file a complaint" app. The real version is on Google Play (shown here for comparison)
Because it's a semi-official government app, the Pakistani Citizen Portal requires you to provide things like National ID numbers and other identifying information. The malicious version steals all that, along with anything else it can scrape up.
Worse, we found a website hosting a download of the malicious Pakistan Citizen Portal app at pmdu[.]info. The page is decorated to look like the Google Play store page, but only produces the malicious version of the app when you click either the Google Play or Download button.
For a while we couldn't figure out how people were finding the malicious domain. We suspected someone might be spamming SMS messages to people in Pakistan. But then we also found that someone hacked and modified an official Pakistani government webpage to link to it.
Over the past weekend, the official government webpage that was linking to the malware was defaced and then went offline. The defacer apparently advertised in December that they are "selling government web shells with full access" to the files on the webserver.
So this has been a quite elaborate attack, in that the attackers:

- set up a fake website
- made an effort to make it look real
- hacked and very subtly modified a real Pakistani government website to link to the fake website
- registered domains thematically connected to apps
And now a lot of the trail leading back to the attackers is going cold, having been burned by our reporting and, possibly, by our repeated attempts to alert the Pakistani authorities to the problem.

There's a deeper problem that this highlights.

news.sophos.com/en-us/2021/01/…
Because the malware looks nothing like the more typical Android spyware apps we've researched in the past, I would welcome outside groups who investigate nation-state espionage attacks to take a look at the IoCs and reach out to me if you know anything.
github.com/sophoslabs/IoC…
The fact the attackers went to great lengths to hide what they were doing behind a plausible facade, even using the names of legitimate Android code library classes to camouflage their malicious embedded code, speaks to the level of sophistication of the attackers. Sketchy.
One of the modified apps is a muslim prayer clock, which can tell you the correct time to pray if you're observant. This app, like the others, wanted to know everyone you talked to, messaged with, and could turn on the mic and camera on demand - targeted at a specific religion.
We also found a handful of what appear to be prototype malicious apps (called "basicadvancesample") with similar features.

Be very careful only to download apps from legitimate app stores. If asked to sideload an app from somewhere else, I'd recommend against it.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andrew Brandt

Andrew Brandt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @threatresearch

13 Jan
I've been following this story just so I could see what happened to this guy.

I have a very personal story to tell about Camp Auschwitz.
Growing up Jewish, you get told the stories of the camps. When I was growing up, we had holocaust survivors come in to my elementary school and talk about their experiences. I remember each vividly. I remember the paper thin skin on arms still marred with tattoos of numbers.
Here's me with my dad, back in pre-pandemic 2019 when we last were able to see one another. He's holding a photograph that hung on the wall of my grandmother's bedroom. It's a photo of my grandfather with his family back in Poland, just before the start of WW2. Image
Read 36 tweets
7 Aug 20
As a person with a family member who works in municipal government here in CO, it is a terrible burden for "defense of the nation" to fall to individual small cities.

It's long past time for USG to see these as acts of war by hostile nations, rather than unconnected 'muggings'
I spend a lot of time reading about and discussing ransomware attacks with colleagues who actively counter the attacks in real time.

We cannot help but recognize the geographic dimensions of "where ransomware attacks originate" because it's right there in the code!
Virtually all ransomware has, as part of its normal operation, a form of config file that is used both to focus its encryption efforts on files its creators deem most sensitive, and (more importantly) to restrict its functionality only to machines in its target geo region.
Read 12 tweets
18 Nov 19
So, a little thread about phone scamming that has been targeting...me, personally.

Three years ago, I bought a laptop from Dell, direct from the website. Two, in fact. I began to have problems right away, and contacted their support team. 1/
Some of you know, I used to work for one of the larger consumer tech publications in north America. Based on (outdated) perceptions of their reliability and support, I thought this would be resolved quickly.

Not only did that not happen, but then scammers began to target me. 2/
Now, not to toot my own horn too much, but I'm no easy mark. I know a scam call, SMS, or email when I see one.

But this was somewhat different. This scammer knew 3 things: I had bought from Dell; I had ordered online; I had sought service from Dell. 3/
Read 17 tweets
10 Aug 19
Today I'm at the @VotingVillageDC to mess around with some voting machines. The folks in here have made some interesting discoveries.
@VotingVillageDC Today I spent quite some time using the ES&S AutoMARK voting machine. It runs Windows CE 5.0 on what I'm told is an ARM processor.

These machines were used in an election in Williamsburg, VA in November, 2018 according to the logs on the devices
@VotingVillageDC At first we just toyed around with the menus in the AutoMARK. There's a lot of interesting information that's accessible using the default password of "vogue" (someone's a Madonna fan!)
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!