Application Security , Cybercrime , Fraud Management & Cybercrime

Threat Actors Target Indian Army Personnel Via Fake Apps

Fake Military Apps Armaan, Hamraaz Used to Steal Sensitive Data From Army Staff
Threat Actors Target Indian Army Personnel Via Fake Apps
The Indian Army's Armaan app was duplicated by the attackers. (Source: Armaan website)

Threat actors have targeted the Indian Army by creating fake, malicious versions of legitimate apps used by military personnel, according to security researchers.

See Also: The State of Organizations' Security Posture as of Q1 2018

Such a version of Armaan, an app used by Army personnel to access internal information and services, was discovered by MalwareHunter Team, which is run by a group of independent cybersecurity researchers.

The threat actors replicated the legitimate app and added malicious code into the fake app's source code, researchers at Indian cyber threat intelligence firm Cyble tell Information Security Media Group.

The malicious app, according to Cyble's report, replicated the icon, name and source code of the legitimate Armaan app and added a Trojan in the source code to offer threat actors remote access capabilities.

The malicious app could allow threat actors to steal sensitive data, including contacts, call logs, SMS, location, external storage files and audio recordings from target devices, Dhanalakshmi PK, senior director of malware and intelligence research at Cyble, tells ISMG.

The fake app reads attacker command and control information through the Pastebin page for further communication, Dhanalakshmi says. Cyble researchers add that Pastebin URL hxxps:// was used to communicate with a C&C with the IP

At the time of analysis, there were more than 13 million unique visits to the attacker’s C&C, Dhanalakshmi says.

But as the threat actors distributed the fake application through a direct "typo-squatted domain" instead of Android Play Store, it is difficult to determine how many people have downloaded the app, she adds.

Hamraaz App Compromise

The threat actors have also embedded malicious packages into Hamraaz, an app used by Indian soldiers, according to Cyble researchers. The app offers access to service communication, salary-related information, grievance management services and the Armed Forces Personnel Provident Fund, according to the app's website.

Cyble's researchers have determined that the same was malicious package used in both the Armaan and Hamraaz apps, indicating a single perpetrator.

The Indian Army did not immediately respond to ISMG's queries on mitigation steps.

Cyble's researchers say the fake apps are no longer listed on the Play Store.

Malware Analysis

Similar to the legitimate app, the fake Armaan app seeks the user's Aadhaar number, which is an Indian government-issued unique identifier number, used like a Social Security number. The malware in the fake app then communicates this data to the official Armaan server to verify the user's account, according to Cyble.

Code snippet showing app permissions enabled by the malware (Source: Cyble Research Labs)

Of the 22 different permissions requested by the malware, 10 are abused, the researchers say. Some of the permissions requested include:

  • READ_SMS and RECEIVE_SMS: These commands access all SMS messages in the victim's device and intercept SMS messages received on the device.
  • READ_CALL_LOG and READ_CONTACTS: These commands allow access to the phone logs and contacts on the device.
  • READ_PHONE_STATE: This permission allows the malware to access current cellular network information, the phone number and the serial number of the phone, in addition to the status of any ongoing calls.
  • RECORD_AUDIO: This grants access to recorded audio files on the victim's device.
  • ACCESS_FINE_LOCATION: This allows the app to collect the device’s precise GPS location.
  • ACCESS_WIFI_STATE: With this permission, the malware allows the app to get information on Wi-Fi connectivity.

The source code of the legitimate Armaan app and the Trojanized app is the same, barring a malicious file titled "example.mediaservice" in the latter, the researchers say.

Dhanalakshmi adds that no new obfuscation and evasion capabilities have been observed in the fake Armaan app.

She says the malware application uses a unique technique to get attacker C&C IP details from Pastebin page rather than hardcoding encrypted strings and domain generation algorithm.

Cyble's researchers have not recorded proof of the malware's distribution by state-sponsored cybercrime groups, but Dhanalakshmi says there is a high possibility of attributing the attack to these groups.

"Based on our previous research, threat actor groups such as Transparent Tribe have in the past targeted Indian defense personnel," she says.

Cyble's researchers say that regularly checking mobile and Wi-Fi data use of applications installed on mobile device, and tracking alerts provided by the device's antivirus and Android OS can help identify any device infection.

If infected, the researchers recommend disabling Wi-Fi and mobile data and removing the SIM card because, in some cases, the malware can re-enable mobile data. They recommend backing up media files and performing a factory reset after taking those steps.

Past Army Cyberattacks

In April 2021, Cyble said that the Transparent Tribe APT group - also known as ProjectM and Mythic Leopard - had been engaged in conducting various cyberespionage campaigns on Indian defense personnel.

In December 2021, Malwarebytes researchers found that the SideCopy APT group had launched targeted cyberattacks aimed at Indian military personnel. SideCopy is believed to be a product of the Pakistan-linked Transparent Tribe APT group.

At the time, Malwarebytes' researchers told ISMG that SideCopy was building up its attack capabilities for future exploits. SideCopy's "new and improved" attack strategy included more capable payloads and lures, the use of a dashboard that monitored the APT group's targets and malware payloads in real time and an auto-stealer that could be side-loaded.

The Malwarebytes researchers found that the threat actors had used a combination of lnk files, Microsoft Publisher files and a Trojanized application as their initial infection vector.

About the Author

Soumik Ghosh

Soumik Ghosh

Former Assistant Editor, Asia

Prior to his stint at ISMG, Ghosh worked with IDG and wrote for CIO, CSO Online and Computerworld, in addition to anchoring CSO Alert, a security news bulletin. He was also a language and process trainer at [24] Ghosh has a degree in broadcast journalism from the Indian Institute of Journalism & New Media.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.