A malicious Android installation package has been spotted targeting Indian defense personnel since at least July 2021.
The APK file, is a decoy copy of a promotion letter to the ‘Subs Naik’ rank, once the victim falls prey to this malicious APK, and upon installation, this app appears as an Adobe Reader application icon on the device.
The app asks for several permissions after installation, including camera, microphone, internet, and storage. Access to any one of these can be dangerous and catastrophic for national security.
The threat actors behind the tool were using a variant of Spymax RAT a tool whose source code is already available on underground forums. It offers numerous diversified packages builds that has the web view feature that allows threat actor to inject any web link into the web view module.
After the successful installation of the generated APK, it takes the shape of an actual Android app.
Researchers observed, the threat actors used a Google Drive link pointing at a PDF file containing a list of Indian defense personnel who were awarded promotions to a higher rank. The link was reportedly shared through WhatsApp.
At the same time, based on the data analyzed, the research team said they could not attribute the current attack to a specific nation-state threat actor group.
This research was documented by researchers from The Cyfirma