Trojanized versions of a number of Android applications, including a malicious version of the famous Pakistan Citizen Portal, primarily marketed to users in Pakistan, have been discovered, Sophos, an AI-powered cybersecurity firm, has claimed.
According to Sophos, while legitimate versions of these applications are available on Play Store, the Trojanized versions have been modified by adding malicious features to perform covert surveillance and espionage.
The Trojanized applications look and perform functions similar to their legitimate counterparts. However, after installation, these applications download a payload in the form of an Android Dalvik executable (DEX) file. The DEX payload contains most of the malicious features including the ability to withdraw sensitive data of users such as contact lists and SMS contents. The exfiltrated data is then sent to one of a small number of command-and-control websites hosted on servers located in Eastern Europe.
Here are the names of the Trojanized applications (hacked copies) identified by Sophos. Note that legitimate counterparts of these applications are available on the Play Store.
- Pakistan Citizen Portal
- Pakistan Salat Time
- Mobile Packages Pakistan
- Registered SIMs Checker
- Pakistan Chat
- TPL Insurance
Sophos has argued that the selection of applications is extremely strange. Barring Pakistan Citizen Portal, the applications are neither the most popular nor particularly unique.
It added that there is no indication that the publishers of the original applications are aware that these Trojanized versions even exist.
Pakistan Citizen Portal
Soon after assuming office in 2018, PM Imran Khan had launched the Pakistan Citizen Portal, aiming to connect Pakistani citizens directly with over 8600 government departments.
The website of the legitimate Pakistan Citizen Portal falls under the .gov.pk domain which is hosted in Pakistan while the legitimate Android and iOS applications of the project developed by NITB are available at Play Store and App Store respectively.
However, the Trojanized version of the Pakistan Citizen Portal is hosted at the website pmdu.info, a domain registered for the first time in August 2019. This site is hosted on the IP address 22.214.171.124, an IP address that geolocates to the Netherlands.
Despite possessing a TLS certificate, the P MDU website is shambolic. Its banner image at the top of the page remains broken and has glaring spelling errors.
While digging around for links obtained from the info page of the PMDU website, Sophos noticed that the link of the malware had been also hosted at the website of the Trading Corporation of Pakistan (TCP), an official Pakistani governmental department that comes under the Ministry of Commerce.
The text of the PMDU website hosting the malicious Android application of Pakistan Citizen Portal had prominently been displayed in one of a series of rotating banners at the top of the TCP website. The link remained unclickable, as the entire thing was one large static image.
Surprisingly, on 10 January, the TCP webpage got replaced with just a single line of text: Hacked by 9bandz.
Note that a user of a crimeware forum with the same username had also posted an advertisement for selling government web shells with full access to directories and files in December 2020.
Via: Sophos Labs