Security researchers have identified a watering-hole attack on a regional news website, Hunza News, which delivers news about Gilgit-Baltistan, a disputed region administered by Pakistan.
According to a new advisory published by ESET malware researcher Lukas Stefanko earlier today, the attack targets Urdu-speaking users in the region and deploys previously unknown spyware dubbed Kamran.
The attack primarily affects mobile users who access the Urdu version of the Hunza News website, which offers a seemingly benign Android app for download. However, this app harbors malicious espionage capabilities, gathering sensitive data when granted certain permissions by users. This spyware has compromised at least 20 mobile devices.
Stefanko clarified that the malicious app is downloaded directly from the website rather than the Google Play store, requiring users to enable installations from unknown sources.
Notably, the Kamran spyware appeared on the website between January 7 and March 21 2023, during a period of protests in Gilgit-Baltistan regarding land rights, taxation issues, power outages and food provisions. This region, situated within the larger Kashmir dispute between India and Pakistan, holds strategic importance. This is due to its location along the Karakoram Highway, facilitating trade between Pakistan and China.
The Kamran spyware is characterized by its unique code composition. Upon the user granting permissions, it gathers various forms of sensitive data, including SMS messages, contacts, location information and more. It then uploads this information to a Firebase command-and-control (C2) server.
Users are urged to download apps only from trusted and official sources to protect themselves from such threats. A list of Indicators of Compromise (IoCs) related to the Kamran spyware attack is included in the ESET advisory.
Infosecurity reached out to Hunza News regarding the attack but had not received a response at the time of writing.