A malicious Android installation package has been spotted targeting Indian defense personnel since at least July 2021.
The news comes from a report from external threat landscape management platform Cyfirma, which the company shared with Infosecurity over the weekend.
“The APK [android package kit] file, in this case, is a decoy copy of a promotion letter to the ‘Subs Naik’ rank,” reads the technical write-up. “Once the victim falls prey to this malicious APK, and upon installation, this app appears as an Adobe Reader application icon (look-alike) on the device.”
Once installed, the app asks for several permissions, including camera, microphone, internet and storage. “Access to any one of these can be dangerous and catastrophic for national security,” Cyfirma wrote.
Further research from the company revealed that the threat actors behind the tool were using a variant of Spymax RAT (remote access trojan), a tool whose source code is already available on underground forums.
“Spymax offers different android package builds – and one of the builds has a web view feature that allows the threat actors to inject any web link into the web view module,” the cybersecurity experts wrote. “After the successful installation of the generated APK, it takes the shape of an actual Android app.”
In the attacks observed by Cyfirma, the threat actors used a Google Drive link pointing at a PDF file containing a list of Indian defense personnel who were awarded promotions to a higher rank. The link was reportedly shared through WhatsApp.
“As the target is specifically the defense personnel and since the campaign has been running for quite some time, it is suspected that nation-state threat actor groups are behind the attack to exfiltrate sensitive information,” the security firm wrote.
At the same time, based on the data analyzed, the research team said they could not attribute the current attack to a specific nation-state threat actor group.
“Due to the present prevailing geopolitical situation in South Asia and its adjoining region, India is constantly dealing with aggressive cyber-attacks from its suspected neighbors,” Cyfirma concluded.
“At present, without strong evidence, we are unable to attribute and correlate any nation-state threat actor who could be behind this attack.”
The Cyfirma advisory comes roughly a month after the data breach notification website Leakbase claimed someone hacked the Swachhata Platform in India and stole 16 million user records.