Cyble-Balochi-Spyware-Targets-Android-Users

Fake Balochi Shayri App Masquerading As Legitimate Application Appears To Be Affecting Ethnic Balochi Users

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

Threat Actors use various ingenious methods and models to target users in a specific region. These methods and models include uploading a malicious application in a popular app store that masquerades as a legitimate application. This blog puts a spotlight on one such malicious application found during our surface web hunt.

Cyble Research Labs came across a Twitter post wherein researchers mentioned an Android Spyware found in Pakistan. The sample on Virus Total was uploaded from Pakistan. This Android Malware calls itself “مقبوضہ بلوچستان نیوز” or “Balochi Shayri,” which tricks users into thinking that this application is similar to its legitimate counterpart that is available Google Play Store. It also has an icon like the legitimate one.

This application has no user interface (UI). It operates in the background to perform malicious activities for stealing sensitive data like Contacts data, SMS data, and files from the device’s external storage. In addition, it can also capture pictures from the camera, record calls, and take screenshots.

Technical Analysis

APK Metadata Information

  • App Name: Balochi Shayri or مقبوضہ بلوچستان نیوز
  • Package Name: com.livetv.stream.channal
  • SHA256 Hash: afc9fbb1ff8cfdd79a781bf493dc426bb059916debbb98c1b7c20a9d0f24a5f7

Figure 1 shows the metadata information of the application.

Figure 1 Metadata Information

Figure 2 shows the Malware having a similar icon and name as the legitimate Balochi Shayri application hosted on the Google Play Store.

Figure 2 App Icon and Name

Manifest Description

The malware requests twenty-three different permissions, of which the attackers could abuse thirteen permissions. In this case, the Malware can:

  • Read SMS, Call Logs, and Contacts data.
  • Receive SMSs.
  • Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
  • Read or write the files on the device’s external storage.
  • Record audio.
  • Gets connected network information.
  • Get the device’s location.

We have listed the dangerous permissions below.

PermissionsDescription
READ_SMSAccess phone’s messages
READ_CONTACTSAccess phone’s contacts
RECEIVE_SMSAllows an application to receive SMS messages
READ_CALL_LOGAccess phone call logs
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
RECORD_AUDIOAllows the app to record audio with the microphone, which the attackers can misuse
GET_ACCOUNTSAllows the app to get the list of accounts used by the phone
ACCESS_NETWORK_STATEAllows the app to get information about network connections
ACCESS_WIFI_STATEAllows the app to get information about Wi-Fi connectivity
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi
ACCESS_FINE_LOCATIONAllows the app to get the precise location of the device using the Global Positioning System (GPS)
Table 1 Permissions’ Description

Figure 3 shows the launcher activity of the Malware.

Figure 3 Launcher Activity

The figure below shows that the Malware has defined services that can be used to read the GPS location of the device.

Figure 4 Service to Get Location

The below figure shows that Malware has defined services that can be used to record calls.

Figure 5 Call Record Service

The figure below shows that the Malware has defined services that can be used to read notification data on the device.

Figure 6 Service to Read Notifications

Source Code Description

The code snippets shown in Figures 7, 8, 9, and 10 show that the Malware steals device’s Contacts data and upload to the C2 server.

  • The below figure shows that the Spyware reads the contacts data such as Mobile numbers, Names, and Email IDs.
Figure 7 Reads Contact Data
  • The below figure shows that the Spyware passes the contacts data to the method sendData.
Figure 8 Passes the Data to the sendData Method
  • The figure below shows the sendData method where the contacts data is sent to the server using socket.
Figure 9 Uses socket to Upload Data to the Server
  • The below figure shows that the data has been uploaded to the C2 server URL stored in a variable called SERVERIP and port number in SERVERPORT.
Figure 10 URL Stored in Variable SERVERIP

The code shown in Figure 11 shows the malware stealing device’s SMS data, such as the address from which communication is happening and message content and upload to the C2 server.

Figure 11 Steals SMS Data

The code shown in Figure 12 demonstrates that the Malware steals the device’s location data.

Figure 12 Reads Location

The code shown in Figure 13 demonstrates that the Malware steals the device’s CallLogs.

Figure 13 Reads CallLog

Figure 14 demonstrates that the Malware records the ongoing call on the device.

Figure 14 Records Ongoing Call

The code depicted in Figure 15 demonstrates that the malware extracts and uploads sensitive information from notification to the C2 server.

Figure 15 Steals Notification Data

The below code shows that the Malware reads the device’s external storage and can upload the data to the C2 server. Refer to Figure 16.

Figure 16 Reads External Storage

Figure 17 shows that the Malware can search the particular file type in the device’s external storage and upload it to the C2 server.

Figure 17 Searches for Particular File Type

As shown in Figure 18, the Malware gets the device’s information such as IMEI number, mobile number, cellular, related network information, country code, operator name, serial number, etc.

Figure 18 Reads Device Info

The code shown in Figure 19 shows that Malware can send SMS without the user’s knowledge.

Figure 19 Sends SMS

The code below showcases the Malware takes screenshots of the device.

Figure 20 Takes Screenshots

Figure 21 shows that the Malware captures images from the device’s camera.

Figure 21 Capture Images

The Malware performs its activities on the commands given by the Threat Actors. The below table shows some of the commands used by the TAs.

CommandDescription
smsmonsUnregister SMS Service
calsreSet Call Record
clpingPing to C2 Server
lntwokSend location from network
notifiSend Notification
recpthSend Record Path
stoastShow toast
capscrnsCapture screen

Table 2 Commands Used by the TAs

Observations

In September 2019, another malware-infected Android App was reported/discovered- RB (Radio Balouch) Music. The malicious apk was using AhMyth RAT (https://github.com/AhMyth/AhMyth-Android-RAT) and was performing the following activities:

The data was uploaded to a C2 server- hxxp://radiobalouch[.]com. The app was a legitimate music player and Spyware at the same time.

These apps are primarily used by Baloch people, who are ethnic to the borders of Afghanistan, Iran, and Pakistan.  They constitute 52% of the population of the Balochistan province of Pakistan (Census 2011).

The province has been under low-intensity insurgency by the Baloch nationalists, and the Government of Pakistan has been trying to suppress the uprising. With the announcement of the China Pakistan Economic Corridor (CPEC), a behemoth infrastructure project, a surge in uprisings has been reported from the province.

The pattern of these malicious apps and by looking at the data they were collecting, we can categorize these malicious apps as Spyware.

Repeated and deliberate attempts to steal user information and activity from an insurgency-affected region and the sophisticated nature of these apps suggest possible state actors involved in reconnaissance and surveillance of users from the region.

Conclusion

مقبوضہ بلوچستان نیوز is a Spyware that targets users, and we speculate that the infected users are Balochis. It steals various sensitive information from the device such as Contacts data, SMS, call logs, files, records calls, capture pictures, and takes screenshots of the device without the user’s knowledge.

Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them.

Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid exposure to such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

  • Download and install software only from official app stores like Google Play Store.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Users should be careful while enabling any permissions on their devices.
  • If you find any suspicious applications on your device, uninstall, or delete them immediately. 
  • Use the shared IOCs to monitor and block the malware infection. 
  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Keep your Android device, OS, and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1444
T1476
-Masquerade as Legitimate Application
-Deliver Malicious App via Other Means
ExecutionT1575-Native Code
PersistenceT1402 -Broadcast Receivers
Defense EvasionT1508-Supress Application Icon
CollectionT1412
T1432
T1433
T1517
T1429
T1512
T1533
T1513
-Capture SMS Messages
-Access Contacts List
-Access Call Log
-Access Notifications
-Capture Audio
-Capture Camera
-Data from Local System
-Screen Capture
ImpactT1447-Delete Device Data

Indicators of Compromise (IOCs)  

IndicatorsIndicator typeDescription
afc9fbb1ff8cfdd79a781bf493dc426bb059916debbb98c1b7c20a9d0f24a5f7SHA256Malicious APK
173.249.50.34-shareboxs[.]netURLURL used to upload device data (advise to monitor)

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Scroll to Top