Since at least July 2021, a malicious Android installation programme has been observed targeting Indian defence personnel.
The information was revealed in a report from Cyfirma’s platform for managing the external threat landscape, which the business shared with Infosecurity over the weekend.
The technical write-up states that “The APK [android package kit] file, in this case, is a decoy replica of a promotion letter to the ‘Subs Naik’ position.” Once the victim downloads the malicious APK and instals it, the app’s icon (lookalike) for Adobe Reader is displayed on the device.
The app requests access to your camera, microphone, internet, and storage after installation. Access to even one of them, according to Cyfirma, “may be hazardous and devastating for national security.”
A variant of the Spymax RAT (remote access trojan), a malware whose source code is already available on dark web forums, was being used by the threat actors behind the tool, according to further research conducted by the company.
The cybersecurity professionals said that Spymax “offers several Android package builds—and one of the variants contains a web view feature that allows the threat actors to inject any web link into the web view module.” The created APK “takes the shape of an actual Android app after the successful installation.”
Threat actors used a Google Drive link directing at a PDF file containing a list of Indian defence personnel who were granted promotions to a higher level in the attacks that Cyfirma saw. It is said that the link was spread.
As the security company noted, “it is assumed that nation-state threat actor organisations are behind the attempt to exfiltrate critical material because the target is specifically the defence employees and because the campaign has been running for quite some time.
The research team also stated that, based on the data examined, they were unable to link the present attack to a specific nation-state threat actor organisation.
“India is continually dealing with aggressive cyber-attacks from its suspected neighbours due to the current prevalent geopolitical environment in South Asia and its adjacent region,” Cyfirma said.
We are currently unable to attribute and correlate any nation-state threat actor who may be responsible for this attack due to a lack of compelling evidence.