Cyble-Indian-Army-Personnel-Under-Cyber-Attack

Indian Army Personnel Face Remote Access Trojan Attacks

Cyble Research Labs has come across a Twitter post wherein security researchers have brought to focus an Android malware that pretends to be the legitimate ARMAAN application. The Army Mobile Aadhaar App Network (ARMAAN) is an umbrella application covering various facets of information & services concerning all ranks of the Indian Army, and the app is used only by Indian Army personnel. Threat Actors (TAs) have customized the legitimate ARMAAN app and added malicious code into it.

During our analysis, we observed that this malicious application uses the icon, name, and even source code of the legitimate ARMAAN app. To create this malicious application, attackers have added an extra package in the legitimate application’s source code to enable it to perform RAT activities.

From our analysis, we concluded that upon successful execution, this malicious application could steal sensitive data such as contacts, call logs, SMSes, location, files from external storage, record audio, etc., from the victims’ devices.

Recently Cyble Research Labs has come across another malicious android app disguised as HAMRAAZ. The HAMRAAZ is an android application developed for Indian Army Personnel.  The TAs have added malicious packages into the HAMRAAZ app.

We analyzed the malicious sample of the HAMRAAZ Android app and identified that the malicious package used in ARMAAN and HAMRAAZ is the same. Therefore we can conclude that the Threat Actors (TAs) behind both malware are the same.

In this section, we have provided details of malicious HAMRAAZ app: c0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425c

We observed the malicious HAMRAAZ app uses Pastebin URL: hxxps://pastebin[.]com/rA219A98 to communicate with the C&C IP: 173[.]212.254.151 as shown in the below figure.

Figure 1 – C&C Communication via Pastebin

Technical Analysis

APK Metadata Information

  • App Name:  ARMAAN
  • Package Name: in.gov.armaan
  • SHA256 Hash: 80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0

Figure 2 shows the metadata information of the application.

Figure 2 – App Metadata Information

The below figure shows the application icon and name displayed on the Android device.

Figure 3 – App Icon and Name

The malware requests for Aadhar numbers, which is also a feature of the legitimate ARMAAN application, as shown in the figure below.

Figure 4 – App Requests KYC Documents

When the user inputs the AADHAAR number, the malware communicates with the official ARMAAN server to verify the account, as shown below.

Figure 5 – App Communicates to Legitimate Server

On comparing the legitimate ARMAAN application and the modified malicious ARMAAN application, we identified that the TAs have added an extra package containing malicious code, as shown in the figure below.

Figure 6 – Added Source Code Package in Malicious App

Manifest Description

The malware requests the user for 22 different permissions. Out of these, it abuses ten permissions. These dangerous permissions are listed below.

PermissionsDescription
READ_SMSAccess SMSes in the device database (DB).
RECEIVE_SMSIntercept SMSes received on the victim’s device
READ_CALL_LOGAccess Call Logs
READ_CONTACTSAccess phone contacts.
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
RECORD_AUDIOAllows the app to record audio with the microphone, which the attackers can misuse.
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi.
ACCESS_FINE_LOCATIONAllows the app to get the device’s precise location using the Global Positioning System (GPS).
ACCESS_BACKGROUND_LOCATIONAllows an app to access location in the background.
ACCESS_WIFI_STATEAllows the app to get information about Wi-Fi connectivity.

We observed added services and receivers entries in the manifest file of the malicious app, as shown in Figure 7.

Figure 7 – Added Entries in Manifest

It is also observed in the manifest that the TAs have added dangerous permissions entries such as READ_CONTACTS, READ_CALL_LOG, RECORD_AUDIO, ACCESS_COARSE_LOCATION, etc. in modified malicious ARMAAN applications.

Figure 8 – Added Permissions Entry in Malicious APP

Source Code Review

Our static analysis indicated that the malware steals sensitive data such as Contacts, SMSes, and Call logs, besides recording audio and taking pictures from the camera, etc., on commands from the C&C.

The malware uses a fixed hardcoded array containing the IP’s ASCII values: 173[.]212.220.230 and port: 3617 Details. The malware then converts and uses them for its C&C communication, as shown in Figure 9.

Figure 9 – Malware Communication

The getAlluserInfo() method has been used to collect the user’s device information such as phone number, device manufacturer’s details, etc., from the device, as shown in Figure 10.

Figure 10 – Collects User’s Information

Through the getAllSMS() method, we identified that the malware collects SMSs data from the device, as shown in the below figure.

Figure 11 – Code to Collect SMSs

The method getAllContacts() has been used to collect Contacts data from the device, as shown below.

Figure 12 – Code to Collect Contacts Data

Method getAllCallLogs() depicts the malware’s ability to collect Call logs data from the device. Refer to Figure 13.

Figure 13 – Code to Collect Call logs

The code snippet shown in the below image depicts the malware’s ability to collect the device’s location data from the device.

Figure 14 – Collects Location Data from the Device

The image shown below showcases the malware’s code that collects and sends images from the WhatsApp directory in the device to the server on commands from the TAs.

Figure 15 – Steals Images from WhatsApp Directory

The method sentMicRecording() shown in the below image depicts the malware’s ability to record mic and send the recorded data to the server on the TAs command. After the data is sent, the malware deletes the file.

Figure 16 – Records Mic

The below figure represents the malware’s ability to capture images from the front and back camera and send the recorded data to the server on the TAs command.

Figure 17 – Capture Images from Front and Back Camera

The malware collects the document files from the device through the remainingDocumentFiles() method shown in the figure below.

Figure 18 – Code to Collect Document Files

Below are the commands used by the TA to control the infected device:

CommandDescription
D%r6t*Get SMS data
s%7n@2Get Contacts data
i*g4#3Get Call logs data
O@y7J&Start mic recording
5w$I!7Get document files
1^R$4tGet images from the WhatsApp folder
j*7e@4Click photos from the device camera

A website with the domain name hxxps://armaanapp[.]in was registered around a year ago. It seems that TAs used this website to deliver malicious versions of the ARMAAN application, as shown in the below figure below.

Figure 19 – Fake Website

Conclusion

The modified, malicious ARMAAN and HAMRAAZ apps pose a serious threat to the Indian Armed Forces. It can perform RAT activities with the potential to steal Indian Army personnel’s sensitive data, including contacts, call logs, SMSs, Location, and files from external storage, in addition to the ability to record sensitive audio.

TAs constantly adapt their methods to avoid detection and find new ways to target users through increasingly sophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into installing them. This situation makes it imperative for users to install applications only after verifying their authenticity. Apps should only be installed exclusively via the official Google Play Store and other trusted portals to avoid such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1433Access Call Log
CollectionT1412Capture SMS Messages
CollectionT1432Access Contact List
CollectionT1429Capture Audio
CollectionT1512Capture Camera
CollectionT1533Data from Local System
CollectionT1430Location Tracking
Command and ControlT1436Commonly Used Ports

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0SHA256Malicious ARMAAN APK
173[.]212.220.230:3617IP AddressMalware Communication IP
hxxps://pastebin[.]com/VfRCefzGPastebin URLUsed to provide C&C IP to Malicious ARMAAN App
c0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425cSHA256Malicious HAMRAAJ APK
173[.]212.254.151IP AddressMalware Communication IP
hxxps://pastebin[.]com/rA219A98Pastebin URLUsed to provide C&C IP to Malicious HAMRAAZ App
Scroll to Top