# Indian Army Personnel Face Remote Access Trojan Attacks **[blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/](https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/)** January 28, 2022 [Cyble Research Labs has come across a Twitter post wherein security researchers have brought to focus an](https://twitter.com/malwrhunterteam/status/1484966581620949005?t=BYJqgYYpCCNe_9v6uwMuCg&s=19) Android malware that pretends to be the legitimate ARMAAN application. The Army Mobile Aadhaar App [Network (ARMAAN) is an umbrella application covering various facets of information & services concerning](https://armaan.gov.in/) all ranks of the Indian Army, and the app is used only by Indian Army personnel. Threat Actors (TAs) have customized the legitimate ARMAAN app and added malicious code into it. During our analysis, we observed that this malicious application uses the icon, name, and even source code of the legitimate ARMAAN app. To create this malicious application, attackers have added an extra package in the legitimate application’s source code to enable it to perform RAT activities. From our analysis, we concluded that upon successful execution, this malicious application could steal sensitive data such as contacts, call logs, SMSes, location, files from external storage, record audio, etc., from the victims’ devices. Recently Cyble Research Labs has come across another malicious android app disguised as HAMRAAZ. The HAMRAAZ is an android application developed for Indian Army Personnel. The TAs have added malicious packages into the HAMRAAZ app. ----- We analyzed the malicious sample of the HAMRAAZ Android app and identified that the malicious package used in ARMAAN and HAMRAAZ is the same. Therefore we can conclude that the Threat Actors (TAs) behind both malware are the same. In this section, we have provided details of malicious HAMRAAZ app: **c0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425c** We observed the malicious HAMRAAZ app uses Pastebin URL: hxxps://pastebin[.]com/rA219A98 to communicate with the C&C IP: 173[.]212.254.151 as shown in the below figure. Figure 1 – C&C Communication via Pastebin ## Technical Analysis ### APK Metadata Information App Name: ARMAAN Package Name: in.gov.armaan SHA256 Hash: 80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0 Figure 2 shows the metadata information of the application. Figure 2 – App Metadata Information The below figure shows the application icon and name displayed on the Android device. ----- Figure 3 – App Icon and Name The malware requests for Aadhar numbers, which is also a feature of the legitimate ARMAAN application, as shown in the figure below. ----- Figure 4 – App Requests KYC Documents When the user inputs the AADHAAR number, the malware communicates with the official ARMAAN server to verify the account, as shown below. Figure 5 – App Communicates to Legitimate Server On comparing the legitimate ARMAAN application and the modified malicious ARMAAN application, we identified that the TAs have added an extra package containing malicious code, as shown in the figure below. ----- Figure 6 – Added Source Code Package in Malicious App ## Manifest Description The malware requests the user for 22 different permissions. Out of these, it abuses ten permissions. These dangerous permissions are listed below. **Permissions** **Description** READ_SMS Access SMSes in the device database (DB). RECEIVE_SMS Intercept SMSes received on the victim’s device READ_CALL_LOG Access Call Logs READ_CONTACTS Access phone contacts. READ_PHONE_STATE Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. RECORD_AUDIO Allows the app to record audio with the microphone, which the attackers can misuse. ACCESS_COARSE_LOCATION Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi. ACCESS_FINE_LOCATION Allows the app to get the device’s precise location using the Global Positioning System (GPS). ACCESS_BACKGROUND_LOCATION Allows an app to access location in the background. ACCESS_WIFI_STATE Allows the app to get information about Wi-Fi connectivity. We observed added services and receivers entries in the manifest file of the malicious app, as shown in Figure 7. ----- Figure 7 – Added Entries in Manifest It is also observed in the manifest that the TAs have added dangerous permissions entries such as READ_CONTACTS, READ_CALL_LOG, RECORD_AUDIO, ACCESS_COARSE_LOCATION, etc. in modified malicious ARMAAN applications. Figure 8 – Added Permissions Entry in Malicious APP ## Source Code Review Our static analysis indicated that the malware steals sensitive data such as Contacts, SMSes, and Call logs, besides recording audio and taking pictures from the camera, etc., on commands from the C&C. The malware uses a fixed hardcoded array containing the IP’s ASCII values: 173[.]212.220.230 and port: _3617 Details. The malware then converts and uses them for its C&C communication, as shown in Figure 9._ ----- Figure 9 – Malware Communication The getAlluserInfo() method has been used to collect the user’s device information such as phone number, device manufacturer’s details, etc., from the device, as shown in Figure 10. Figure 10 – Collects User’s Information ----- Through the getAllSMS() method, we identified that the malware collects SMSs data from the device, as shown in the below figure. Figure 11 – Code to Collect SMSs The method getAllContacts() has been used to collect Contacts data from the device, as shown below. Figure 12 – Code to Collect Contacts Data Method getAllCallLogs() depicts the malware’s ability to collect Call logs data from the device. Refer to Figure 13. Figure 13 – Code to Collect Call logs The code snippet shown in the below image depicts the malware’s ability to collect the device’s location data from the device. Figure 14 Collects Location Data from the Device ----- The image shown below showcases the malware s code that collects and sends images from the WhatsApp directory in the device to the server on commands from the TAs. Figure 15 – Steals Images from WhatsApp Directory The method sentMicRecording() shown in the below image depicts the malware’s ability to record mic and send the recorded data to the server on the TAs command. After the data is sent, the malware deletes the file. Figure 16 – Records Mic The below figure represents the malware’s ability to capture images from the front and back camera and send the recorded data to the server on the TAs command. Figure 17 – Capture Images from Front and Back Camera The malware collects the document files from the device through the remainingDocumentFiles() method shown in the figure below. Figure 18 – Code to Collect Document Files ----- Below are the commands used by the TA to control the infected device: **Command** **Description** D%r6t* Get SMS data s%7n@2 Get Contacts data i*g4#3 Get Call logs data O@y7J& Start mic recording 5w$I!7 Get document files 1^R$4t Get images from the WhatsApp folder j*7e@4 Click photos from the device camera A website with the domain name hxxps://armaanapp[.]in was registered around a year ago. It seems that TAs used this website to deliver malicious versions of the ARMAAN application, as shown in the below figure below. Figure 19 – Fake Website ## Conclusion The modified, malicious ARMAAN and HAMRAAZ apps pose a serious threat to the Indian Armed Forces. It can perform RAT activities with the potential to steal Indian Army personnel’s sensitive data, including contacts, call logs, SMSs, Location, and files from external storage, in addition to the ability to record sensitive audio. TAs constantly adapt their methods to avoid detection and find new ways to target users through increasingly sophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into installing them. This situation makes it imperative for users to install applications only after verifying their authenticity. Apps should only be installed exclusively via the official Google Play Store and other trusted portals to avoid such attacks. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: ## How to prevent malware infection? Download and install software only from official app stores like Google Play Store or the iOS App Store. Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. Use strong passwords and enforce multi-factor authentication wherever possible. ----- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. Be wary of opening any links received via SMS or emails delivered to your phone. Ensure that Google Play Protect is enabled on Android devices. Be careful while enabling any permissions. Keep your devices, operating systems, and applications updated. ## How to identify whether you are infected? Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices. Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. ## What to do when you are infected? Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. Perform a factory reset. Remove the application in case a factory reset is not possible. Take a backup of personal media Files (excluding mobile applications) and perform a device reset. ## What to do in case of any fraudulent transaction? In case of a fraudulent transaction, immediately report it to the concerned bank. ## What should banks do to protect their customers? Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Initial Access** [T1476](https://attack.mitre.org/versions/v7/techniques/T1476/) Deliver Malicious App via Other Mean. **Initial Access** [T1444](https://attack.mitre.org/versions/v7/techniques/T1444) Masquerade as Legitimate Application **Execution** [T1575](https://attack.mitre.org/versions/v7/techniques/T1575/) Native Code **Collection** [T1433](https://attack.mitre.org/techniques/T1433) Access Call Log **Collection** [T1412](https://attack.mitre.org/techniques/T1412) Capture SMS Messages **Collection** [T1432](https://attack.mitre.org/techniques/T1432) Access Contact List **Collection** [T1429](https://attack.mitre.org/techniques/T1429) Capture Audio **Collection** [T1512](https://attack.mitre.org/techniques/T1512) Capture Camera **Collection** [T1533](https://attack.mitre.org/techniques/T1533) Data from Local System **Collection** [T1430](https://attack.mitre.org/techniques/T1430) Location Tracking ----- **Command and Control** [T1436](https://attack.mitre.org/techniques/T1436) Commonly Used Ports ## Indicators of Compromise (IOCs) **Indicators** **Indicator** **Type** **Description** **80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0** SHA256 Malicious ARMAAN APK **173[.]212.220.230:3617** IP Address **hxxps://pastebin[.]com/VfRCefzG** Pastebin URL Malware Communication IP Used to provide C&C IP to Malicious ARMAAN App **c0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425c** SHA256 Malicious HAMRAAJ APK **173[.]212.254.151** IP Address **hxxps://pastebin[.]com/rA219A98** Pastebin URL Malware Communication IP Used to provide C&C IP to Malicious HAMRAAZ App -----