Hidden Kamran Spyware Targeting Urdu Speaking Users in Gilgit-Baltistan

Nov 10, 2023NewsroomPrivacy / Cyber ​​Espionage

Kamran Spyware

Urdu-speaking readers of a regional news website serving the Gilgit-Baltistan region may have emerged as the target of a watering hole attack designed to provide a previously undocumented Android spyware called. Kamran.

The campaign, ESET has discovereduses Hunza News (urdu.hunzanews(.)net), which, when opened on a mobile device, prompts visitors to the Urdu version to install its Android app hosted directly on the website.

The app, however, includes malicious spying capabilities, with the attack compromising at least 20 mobile devices so far. It has been on the website since between January 7, and March 21, 2023, when large protests held in the region due to land rights, taxes, and widespread power cuts.

The malware, which is activated upon installation of the package, asks for restrictive permissions, allowing it to extract sensitive information from devices.


This includes contacts, call logs, calendar events, location information, files, SMS messages, photos, list of installed apps, and device metadata. The collected data is then uploaded to a command-and-control (C2) server hosted by Firebase.

Kamran lacks remote control capabilities and is also simple by design, carrying out exfiltration activities only when the victim opens the app and lacking provisions to track data that has already been sent.

This means that it repeatedly sends the same information, along with any new data that meets its search criteria, to the C2 server. Kamran has not been implicated by any known actor or threat group.

“As this malicious app is not yet offered through the Google Play store and is downloaded from an unknown source called unknown by Google, in order to install this app, the user is asked to give the option to install apps from unknown sources,” security. researcher Lukáš Štefanko said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment