A cloned version of an official mobile application meant exclusively for Indian Army personnel targeted Android phones with hidden Remote Access Trojan (RAT) attacks.
First identified by the Malware Hunter Team, a platform that identifies malicious software, the cloned app was designed to mimic the official Army Mobile Aadhaar App Network (ARMAAN).
Developed by the Indian Army, the original ARMAAN app is used for information decimation, messaging, military engineering services related complaints, army rest house related services, and many others. It also has a feature that allows army members to send messages to the office of the Chief of Army Staff (COAS).
Serving members of the Indian Army make use of their Aadhaar numbers and Aadhaar-linked mobile phones to access the platform. The cloned app’s Android Package (APK) imitated the appearance and functionality of the official app and was capable of stealing data from devices.
Very interesting & not much detected sample, “armaan.apk” seen from India: 80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0
From a quick look, it is some app that should be developed by India’s gov, related to their army.
Has a malware with lots of features. pic.twitter.com/eaBEqvEl2a
— MalwareHunterTeam (@malwrhunterteam) January 22, 2022
Cyble, a cyber-threat intelligence firm, conducted further analysis of the malware, revealing the threat actor’s camouflaged methods. The cyber threat intelligence firm published a blog that detailed the malware operators’ customisations.
According to Cyble’s investigation, a suspicious domain—hxxps:/armaanapp[.]in—
“The modified, malicious ARMAAN app poses a serious threat to the Indian Armed Forces. It can perform RAT activities with the potential to steal sensitive data from Indian Army personnel, such as contacts, call logs, SMSes, location, and files from external storage, in addition to the ability to record sensitive audio,” Cyble’s researchers noted.
Just like the original ARMAAN app, the fake version asked for the Aadhaar credentials of the users at the start. The malware even communicated with the official ARMAAN server to verify the account once the user provided their Aadhaar number.
Once installed, the app had the ability to use the device’s camera and microphone, had access to documents and pictures on the device, and could steal the user’s call and SMS data along with information about the network, phone number, and location.
The app could even silently function in the background. While the source code of the harmful app appeared similar to that of the genuine app, an extra package “containing malicious code” was inserted into the malware’s source code.
According to Cyble, while the fake app requested 22 different permissions, it abused 10 of them.
The authorised version of the genuine ARMAAN app is available for download on its official page. The app can be used only by serving Indian Army personnel.