Cyble Research Labs has come across a Twitter post wherein security researchers have brought to focus an Android malware that pretends to be the legitimate ARMAAN application. The Army Mobile Aadhaar App Network (ARMAAN) is an umbrella application covering various facets of information & services concerning all ranks of the Indian Army, and the app is used only by Indian Army personnel. Threat Actors (TAs) have customized the legitimate ARMAAN app and added malicious code into it.
During our analysis, we observed that this malicious application uses the icon, name, and even source code of the legitimate ARMAAN app. To create this malicious application, attackers have added an extra package in the legitimate application’s source code to enable it to perform RAT activities.
From our analysis, we concluded that upon successful execution, this malicious application could steal sensitive data such as contacts, call logs, SMSes, location, files from external storage, record audio, etc., from the victims’ devices.
Recently Cyble Research Labs has come across another malicious android app disguised as HAMRAAZ. The HAMRAAZ is an android application developed for Indian Army Personnel. The TAs have added malicious packages into the HAMRAAZ app.
We analyzed the malicious sample of the HAMRAAZ Android app and identified that the malicious package used in ARMAAN and HAMRAAZ is the same. Therefore we can conclude that the Threat Actors (TAs) behind both malware are the same.
In this section, we have provided details of malicious HAMRAAZ app: c0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425c
We observed the malicious HAMRAAZ app uses Pastebin URL: hxxps://pastebin[.]com/rA219A98 to communicate with the C&C IP: 173[.]212.254.151 as shown in the below figure.
Technical Analysis
APK Metadata Information
- App Name: ARMAAN
- Package Name: in.gov.armaan
- SHA256 Hash: 80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0
Figure 2 shows the metadata information of the application.
The below figure shows the application icon and name displayed on the Android device.
The malware requests for Aadhar numbers, which is also a feature of the legitimate ARMAAN application, as shown in the figure below.
When the user inputs the AADHAAR number, the malware communicates with the official ARMAAN server to verify the account, as shown below.
On comparing the legitimate ARMAAN application and the modified malicious ARMAAN application, we identified that the TAs have added an extra package containing malicious code, as shown in the figure below.
Manifest Description
The malware requests the user for 22 different permissions. Out of these, it abuses ten permissions. These dangerous permissions are listed below.
| Permissions | Description |
| READ_SMS | Access SMSes in the device database (DB). |
| RECEIVE_SMS | Intercept SMSes received on the victim’s device |
| READ_CALL_LOG | Access Call Logs |
| READ_CONTACTS | Access phone contacts. |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which the attackers can misuse. |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi. |
| ACCESS_FINE_LOCATION | Allows the app to get the device’s precise location using the Global Positioning System (GPS). |
| ACCESS_BACKGROUND_LOCATION | Allows an app to access location in the background. |
| ACCESS_WIFI_STATE | Allows the app to get information about Wi-Fi connectivity. |
We observed added services and receivers entries in the manifest file of the malicious app, as shown in Figure 7.
It is also observed in the manifest that the TAs have added dangerous permissions entries such as READ_CONTACTS, READ_CALL_LOG, RECORD_AUDIO, ACCESS_COARSE_LOCATION, etc. in modified malicious ARMAAN applications.
Source Code Review
Our static analysis indicated that the malware steals sensitive data such as Contacts, SMSes, and Call logs, besides recording audio and taking pictures from the camera, etc., on commands from the C&C.
The malware uses a fixed hardcoded array containing the IP’s ASCII values: 173[.]212.220.230 and port: 3617 Details. The malware then converts and uses them for its C&C communication, as shown in Figure 9.
The getAlluserInfo() method has been used to collect the user’s device information such as phone number, device manufacturer’s details, etc., from the device, as shown in Figure 10.
Through the getAllSMS() method, we identified that the malware collects SMSs data from the device, as shown in the below figure.
The method getAllContacts() has been used to collect Contacts data from the device, as shown below.
Method getAllCallLogs() depicts the malware’s ability to collect Call logs data from the device. Refer to Figure 13.
The code snippet shown in the below image depicts the malware’s ability to collect the device’s location data from the device.
The image shown below showcases the malware’s code that collects and sends images from the WhatsApp directory in the device to the server on commands from the TAs.
The method sentMicRecording() shown in the below image depicts the malware’s ability to record mic and send the recorded data to the server on the TAs command. After the data is sent, the malware deletes the file.
The below figure represents the malware’s ability to capture images from the front and back camera and send the recorded data to the server on the TAs command.
The malware collects the document files from the device through the remainingDocumentFiles() method shown in the figure below.
Below are the commands used by the TA to control the infected device:
| Command | Description |
| D%r6t* | Get SMS data |
| s%7n@2 | Get Contacts data |
| i*g4#3 | Get Call logs data |
| O@y7J& | Start mic recording |
| 5w$I!7 | Get document files |
| 1^R$4t | Get images from the WhatsApp folder |
| j*7e@4 | Click photos from the device camera |
A website with the domain name hxxps://armaanapp[.]in was registered around a year ago. It seems that TAs used this website to deliver malicious versions of the ARMAAN application, as shown in the below figure below.
Conclusion
The modified, malicious ARMAAN and HAMRAAZ apps pose a serious threat to the Indian Armed Forces. It can perform RAT activities with the potential to steal Indian Army personnel’s sensitive data, including contacts, call logs, SMSs, Location, and files from external storage, in addition to the ability to record sensitive audio.
TAs constantly adapt their methods to avoid detection and find new ways to target users through increasingly sophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into installing them. This situation makes it imperative for users to install applications only after verifying their authenticity. Apps should only be installed exclusively via the official Google Play Store and other trusted portals to avoid such attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Execution | T1575 | Native Code |
| Collection | T1433 | Access Call Log |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1432 | Access Contact List |
| Collection | T1429 | Capture Audio |
| Collection | T1512 | Capture Camera |
| Collection | T1533 | Data from Local System |
| Collection | T1430 | Location Tracking |
| Command and Control | T1436 | Commonly Used Ports |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0 | SHA256 | Malicious ARMAAN APK |
| 173[.]212.220.230:3617 | IP Address | Malware Communication IP |
| hxxps://pastebin[.]com/VfRCefzG | Pastebin URL | Used to provide C&C IP to Malicious ARMAAN App |
| c0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425c | SHA256 | Malicious HAMRAAJ APK |
| 173[.]212.254.151 | IP Address | Malware Communication IP |
| hxxps://pastebin[.]com/rA219A98 | Pastebin URL | Used to provide C&C IP to Malicious HAMRAAZ App |
