November 10, 2023 at 12:45AM
A watering hole attack has targeted Urdu-speaking readers in the Gilgit-Baltistan region via the Hunza News website. The attack delivers a new spyware called Kamran, which is disguised as an Android app. The malware collects sensitive information from infected devices and uploads it to a command-and-control server. Kamran lacks remote control capabilities and repeatedly sends the same data to the server. The source of the attack is unknown.
Key Takeaways from Meeting Notes:
– Urdu-speaking readers of a regional news website catering to the Gilgit-Baltistan region have been targeted in a watering hole attack.
– The attack leverages the website Hunza News to prompt Urdu users to install an Android app that contains a previously undocumented spyware named Kamran.
– At least 20 mobile devices have been compromised by the attack so far.
– The malicious app requests intrusive permissions upon installation, allowing it to harvest sensitive information from the devices.
– The collected data, including contacts, call logs, calendar events, location information, files, SMS messages, photos, installed apps, and device metadata, is uploaded to a command-and-control server hosted on Firebase.
– Kamran lacks remote control capabilities and repeatedly sends the same information to the server.
– The app has not been attributed to any known threat actor or group.
– To install the app, users are required to enable the option to install apps from unknown sources.
– The app has never been offered through the Google Play store and is downloaded from an unidentified source referred to as unknown by Google.