Severity

High

Analysis Summary

Researchers have discovered a small cluster of Trojanized versions of Android apps, mainly marketed to people who live in Pakistan. Someone has modified these otherwise legitimate apps (clean versions are available for download on the Google Play Store) to add malicious features that seem completely focused on covert surveillance and espionage. The modified apps look identical to their legitimate counterparts, and even perform their normal functions, but are designed to, initially, profile the phone, and then download a payload in the form of an Android Dalvik executable (DEX) file. The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages. The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe.

There are many errors in the splash page along with the copyrights section has a different take. 

Impact

• Information theft and espionage
• Exposure of sensitive data
• Credential theft

Indicators of Compromise

Filename

• pak_citizen_portal_219[.]apk

MD5

• 176df6ce5cd78189a3f554961ef226fa

SHA-256

• 0785e57d59fe9651ac7452ec9c4b04dec2185dfcefad10ce9b0fa077c4aaac02
• 0785e57d59fe9651ac7452ec9c4b04dec2185dfcefad10ce9b0fa077c4aaac02
• 139d59594d40def4d4036427f6529fe1d67de9862f7caca2d7ccf33b7fb72bfb
• 21e1af612302288812ab92f1786739e1877c278c520ed26e247f9b6536d0fe4b
• 25444f614123d80c6dbfde4947a7af2c0ae3ce57ffbbafa7af7ff1aa8e65b77c
• 2bb5041907b8d74f2c123de67175a6da8747a3c1a817d006a797e863ef2f82d2
• 333603e999459ab1ba6f3b2b95a44d06f16abf9bbd3afbd80790ea9f88b24c83
• 385ef5bc6e02d7438e3c7f4b77030560435f2bf186de1d949a0855824cd88df0
• 6af0070f460effd0610939dda17429740d07d3d5ac496de88870b6160bb93224
• 6bc9cf05d24024bf47bf6f3afddf62768bf99a065114a069674f5a0f8218b0c4
• 77b6efb8d3e2be11da3d87dc18aa65e69d02f6615762dd62a15c40cae69dc421
• 89630dcc54e2d0f76bee8ece998b3daebee16a429309950576548ee343723cda
• 9ad611b1b01be253d460c33c673fd9270daba6af323c3a216ca7f2cf1f298443
• bbe147df50234100c7d47b8a26cb3675484c2661bf2554ec327a58f37493a86b
• be8250766f6669f84a4a73471fea6605a7a54ac255f601aefbc0ce810e11e858
• dd2efee37ca82813bc1948aaeccbda4b6c025b5ba9c1c5f0ddbf590c6c5d0ac8
• df8c823f648fd33236955d47a9c4b15e320fbd9d031516b6985441b527e888a8
• e93b499f7b286bac53b1d39b25caa5d6ab0cabe30393e23b0946ebba49d34d53
• ec776cdf07bfc3d153dbb94c975e0e5bf5bd7ebd1558994ea7ce765ec9561d9f
• fd91516432e63b0a100059ed2de0ed559965ee24c9aee37ec4b9146e0d0a4ed1

SHA1

• 27da49adc6c40601a8cad3d0bd4a6a98f51d6f99

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always download legitimate/ recommended applications from play store.