Global cybersecurity experts and digital privacy company Kaspersky have announced that overall cyber threats in Pakistan increased by 17% in 2024 compared to the previous year. Cybersecurity researchers have also uncovered a new spyware operation targeting users in Pakistan that uses trojanized versions of authorized Android apps to carry out undercover surveillance and espionage.
Once installed, these apps request intrusive permissions, including access to contacts, file system, location, microphone, and read SMS messages, allowing them to collect a wide range of data on a victim’s device. In this research article, our Tashheer research team will compile a list of some trojanized apps that secretly spy on users in Pakistan. If you are facing any security issues and want to file a complaint against cybercrime in Pakistan, learn how to file a complaint against cybercrime for effective recourse and support.
Trojanized Android Apps and Their Features
Spyware masquerades as apps like Pakistan Citizen Portal, Pakistan Salat Time, Mobile Packages Pakistan, Registered SIMs Checker, and TPL Insurance. These malicious versions secretly download a payload as an Android Dalvik executable (DEX) file, concealing their operations. The stolen data can have serious consequences, which means it can be used for Identity Theft, Targeted Scams, and Information Leaks. Sophos threat researchers Andrew Brandt and Pankaj Kohli said, “The DEX payload contains most of the malicious features, which can covertly exfiltrate sensitive data like the user’s contact list and the full content of SMS messages.” This app then sends this secret information to one of a few command-and-control websites hosted on servers that people in Eastern Europe control.
Surprisingly, a fake website pretending to be the Pakistan Citizen Portal was displayed as a static image on the Trading Corporation of Pakistan (TCP) website. Learn how to register your complaint on the Pakistan Citizen Portal (PCP) for efficient grievance resolution and government assistance.
They put it there like a picture, an apparent attempt to deceive people into downloading a harmful app without knowing. If you visit the TCP website (tcp.gov.pk) right now, you will see a message “Down for Maintenance.” In addition to the apps mentioned above, Sophos researchers also uncovered a separate app called Pakistan Chat that didn’t have a benign analog distributed via the Google Play Store. However, this app used the API of a legitimate chat service called ChatGum.
Implications of the Spyware
One of the main aims of all these apps is to conduct covert surveillance and exfiltrate data from a target device. In addition to sending the unique IMEI identifier, the DEX payload transmits detailed profile info, location data, contact lists, text messages, call logs, and directory listings from the device’s storage. Troublingly, these malicious Pakistan Citizen Portal apps also transmit sensitive information such as user’s computerized national identity card (CNIC) numbers, passport details, and Facebook and other account usernames and passwords. Explore the expertise of the Top 7 Cybersecurity Consulting Companies in Pakistan for robust security solutions and consultation services.
Pankaj Kohli said, “The spying and covert surveillance capability of all these modified Android apps highlight the risks of spyware to smartphone users worldwide.”
Cybersecurity Concerns
Cyber adversaries target mobile devices not only to steal sensitive and personal information but also because they give access to real-time windows into people’s lives, movements, physical locations, and even live conversations that can be heard within the listening range. If anything, the development is another reason why users must stick to trusted sources to download third-party apps, verify if a genuine developer builds an app and carefully scrutinize app permissions before installation.
The researchers concluded, “In the current Android ecosystem, apps are signed with codes to prove they come from a real source, linking the app to its developer. Unfortunately, Android doesn’t effectively notify users when a signed app’s certificate isn’t valid. Consequently, users lack a straightforward method to verify if an app truly comes from its legitimate developer.” They continued, “The existence of many app stores and the freedom of users to download an app from practically anywhere makes it even harder to combat such threats.” Discover the 8 Best WiFi Cracking Apps for Android to enhance your network security testing capabilities.
Recommendations for Users
The threat actors likely used targeted honey-trap romance scams to attract their victims, initially contacting them on another platform and then convincing them to switch to a trojanized chat app.
ESET researcher Lukáš Štefanko advises, “Cybercriminals are adept at using social engineering as a powerful weapon to trick users. We strongly recommend against clicking any link to download an app shared in a chat conversation. It can be hard to stay immune to spurious romantic advances, but always being vigilant pays off.”
Here is a list of some additional recommendations on how to stay safe:
| Guideline | Description |
|---|---|
| Download from Official Stores | Only download apps from the Google Play Store or authorized app stores. |
| Check Reviews and Permissions | Read reviews and scrutinize app permissions before downloading. |
| Use Antivirus Software | Install a reputable antivirus app to detect and block potential threats. |
| Keep Software Updated | Regularly update the operating system and apps of your phone to patch security vulnerabilities. |
| Be Aware of Unfamiliar Apps | If an app seems too good to be true, it probably is. Do your research before installing. |
Final Words
About the Author: Alishba
