Threat Actors use various ingenious methods and models to target users in a specific region. These methods and models include uploading a malicious application in a popular app store that masquerades as a legitimate application. This blog puts a spotlight on one such malicious application found during our surface web hunt.
Cyble Research Labs came across a Twitter post wherein researchers mentioned an Android Spyware found in Pakistan. The sample on Virus Total was uploaded from Pakistan. This Android Malware calls itself “مقبوضہ بلوچستان نیوز” or “Balochi Shayri,” which tricks users into thinking that this application is similar to its legitimate counterpart that is available Google Play Store. It also has an icon like the legitimate one.
This application has no user interface (UI). It operates in the background to perform malicious activities for stealing sensitive data like Contacts data, SMS data, and files from the device’s external storage. In addition, it can also capture pictures from the camera, record calls, and take screenshots.
Technical Analysis
APK Metadata Information
- App Name: Balochi Shayri or مقبوضہ بلوچستان نیوز
- Package Name: com.livetv.stream.channal
- SHA256 Hash: afc9fbb1ff8cfdd79a781bf493dc426bb059916debbb98c1b7c20a9d0f24a5f7
Figure 1 shows the metadata information of the application.
Figure 2 shows the Malware having a similar icon and name as the legitimate Balochi Shayri application hosted on the Google Play Store.
Manifest Description
The malware requests twenty-three different permissions, of which the attackers could abuse thirteen permissions. In this case, the Malware can:
- Read SMS, Call Logs, and Contacts data.
- Receive SMSs.
- Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
- Read or write the files on the device’s external storage.
- Record audio.
- Gets connected network information.
- Get the device’s location.
We have listed the dangerous permissions below.
| Permissions | Description |
| READ_SMS | Access phone’s messages |
| READ_CONTACTS | Access phone’s contacts |
| RECEIVE_SMS | Allows an application to receive SMS messages |
| READ_CALL_LOG | Access phone call logs |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which the attackers can misuse |
| GET_ACCOUNTS | Allows the app to get the list of accounts used by the phone |
| ACCESS_NETWORK_STATE | Allows the app to get information about network connections |
| ACCESS_WIFI_STATE | Allows the app to get information about Wi-Fi connectivity |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi |
| ACCESS_FINE_LOCATION | Allows the app to get the precise location of the device using the Global Positioning System (GPS) |
Figure 3 shows the launcher activity of the Malware.
The figure below shows that the Malware has defined services that can be used to read the GPS location of the device.
The below figure shows that Malware has defined services that can be used to record calls.
The figure below shows that the Malware has defined services that can be used to read notification data on the device.
Source Code Description
The code snippets shown in Figures 7, 8, 9, and 10 show that the Malware steals device’s Contacts data and upload to the C2 server.
- The below figure shows that the Spyware reads the contacts data such as Mobile numbers, Names, and Email IDs.
- The below figure shows that the Spyware passes the contacts data to the method sendData.
- The figure below shows the sendData method where the contacts data is sent to the server using socket.
- The below figure shows that the data has been uploaded to the C2 server URL stored in a variable called SERVERIP and port number in SERVERPORT.
The code shown in Figure 11 shows the malware stealing device’s SMS data, such as the address from which communication is happening and message content and upload to the C2 server.
The code shown in Figure 12 demonstrates that the Malware steals the device’s location data.
The code shown in Figure 13 demonstrates that the Malware steals the device’s CallLogs.
Figure 14 demonstrates that the Malware records the ongoing call on the device.
The code depicted in Figure 15 demonstrates that the malware extracts and uploads sensitive information from notification to the C2 server.
The below code shows that the Malware reads the device’s external storage and can upload the data to the C2 server. Refer to Figure 16.
Figure 17 shows that the Malware can search the particular file type in the device’s external storage and upload it to the C2 server.
As shown in Figure 18, the Malware gets the device’s information such as IMEI number, mobile number, cellular, related network information, country code, operator name, serial number, etc.
The code shown in Figure 19 shows that Malware can send SMS without the user’s knowledge.
The code below showcases the Malware takes screenshots of the device.
Figure 21 shows that the Malware captures images from the device’s camera.
The Malware performs its activities on the commands given by the Threat Actors. The below table shows some of the commands used by the TAs.
| Command | Description |
| smsmons | Unregister SMS Service |
| calsre | Set Call Record |
| clping | Ping to C2 Server |
| lntwok | Send location from network |
| notifi | Send Notification |
| recpth | Send Record Path |
| stoast | Show toast |
| capscrns | Capture screen |
Table 2 Commands Used by the TAs
Observations
In September 2019, another malware-infected Android App was reported/discovered- RB (Radio Balouch) Music. The malicious apk was using AhMyth RAT (https://github.com/AhMyth/AhMyth-Android-RAT) and was performing the following activities:
The data was uploaded to a C2 server- hxxp://radiobalouch[.]com. The app was a legitimate music player and Spyware at the same time.
These apps are primarily used by Baloch people, who are ethnic to the borders of Afghanistan, Iran, and Pakistan. They constitute 52% of the population of the Balochistan province of Pakistan (Census 2011).
The province has been under low-intensity insurgency by the Baloch nationalists, and the Government of Pakistan has been trying to suppress the uprising. With the announcement of the China Pakistan Economic Corridor (CPEC), a behemoth infrastructure project, a surge in uprisings has been reported from the province.
The pattern of these malicious apps and by looking at the data they were collecting, we can categorize these malicious apps as Spyware.
Repeated and deliberate attempts to steal user information and activity from an insurgency-affected region and the sophisticated nature of these apps suggest possible state actors involved in reconnaissance and surveillance of users from the region.
Conclusion
مقبوضہ بلوچستان نیوز is a Spyware that targets users, and we speculate that the infected users are Balochis. It steals various sensitive information from the device such as Contacts data, SMS, call logs, files, records calls, capture pictures, and takes screenshots of the device without the user’s knowledge.
Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them.
Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid exposure to such attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Users should be careful while enabling any permissions on their devices.
- If you find any suspicious applications on your device, uninstall, or delete them immediately.
- Use the shared IOCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your Android device, OS, and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1444 T1476 | -Masquerade as Legitimate Application -Deliver Malicious App via Other Means |
| Execution | T1575 | -Native Code |
| Persistence | T1402 | -Broadcast Receivers |
| Defense Evasion | T1508 | -Supress Application Icon |
| Collection | T1412 T1432 T1433 T1517 T1429 T1512 T1533 T1513 | -Capture SMS Messages -Access Contacts List -Access Call Log -Access Notifications -Capture Audio -Capture Camera -Data from Local System -Screen Capture |
| Impact | T1447 | -Delete Device Data |
Indicators of Compromise (IOCs)
| Indicators | Indicator type | Description |
| afc9fbb1ff8cfdd79a781bf493dc426bb059916debbb98c1b7c20a9d0f24a5f7 | SHA256 | Malicious APK |
| 173.249.50.34-shareboxs[.]net | URL | URL used to upload device data (advise to monitor) |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.