Security researchers have uncovered a targeted watering-hole attack on Hunza News, a regional news site covering Gilgit-Baltistan, a contested region under Pakistan’s administration. ESET malware researcher Lukas Stefanko published an advisory revealing the espionage campaign, named Kamran, specifically targeting Urdu-speaking users in the region.
Furthermore, the attack primarily impacts mobile users who access the Urdu version of Hunza News, with the malicious Kamran spyware hidden in a seemingly harmless Android app available for download on the site, compromising at least 20 mobile devices by extracting sensitive data upon user permissions. Stefanko highlighted that the spyware-laden app is directly downloaded from the website, bypassing the Google Play store and requiring users to enable installations from unknown sources.
Additionally, the Kamran spyware made its appearance on the Hunza News website between January 7 and March 21, 2023, coinciding with protests in Gilgit-Baltistan over land rights, taxation issues, power outages, and food provisions.
The strategic significance of this region, situated within the broader Kashmir dispute between India and Pakistan, adds weight to the attack. Kamran’s unique code composition enables it to collect various sensitive data types, including SMS messages, contacts, and location information, which is then uploaded to a Firebase command-and-control server.
Users are strongly advised to download apps exclusively from trusted and official sources to minimize exposure to such threats. ESET has provided a list of Indicators of Compromise (IoCs) related to the Kamran spyware in its advisory.
Although Infosecurity reached out to Hunza News for a response to the attack, no reply had been received at the time of writing.
Reference:
