{
	"id": "f7102394-36d6-4364-bcaf-a5c34d0fa5fa",
	"created_at": "2026-04-06T00:07:00.477787Z",
	"updated_at": "2026-04-10T03:21:42.33412Z",
	"deleted_at": null,
	"sha1_hash": "f63a71fdd8c4e81647a0bb482a80c697984adb48",
	"title": "Indian Army Personnel Face Remote Access Trojan Attacks:",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1722974,
	"plain_text": "Indian Army Personnel Face Remote Access Trojan Attacks:\r\nPublished: 2022-01-28 · Archived: 2026-04-05 17:19:58 UTC\r\nCyble Research Labs has come across a Twitter post wherein security researchers have brought to focus an Android\r\nmalware that pretends to be the legitimate ARMAAN application. The Army Mobile Aadhaar App Network\r\n(ARMAAN) is an umbrella application covering various facets of information \u0026 services concerning all ranks of the\r\nIndian Army, and the app is used only by Indian Army personnel. Threat Actors (TAs) have customized the legitimate\r\nARMAAN app and added malicious code into it.\r\nDuring our analysis, we observed that this malicious application uses the icon, name, and even source code of the\r\nlegitimate ARMAAN app. To create this malicious application, attackers have added an extra package in the legitimate\r\napplication’s source code to enable it to perform RAT activities.\r\nFrom our analysis, we concluded that upon successful execution, this malicious application could steal sensitive data\r\nsuch as contacts, call logs, SMSes, location, files from external storage, record audio, etc., from the victims’ devices.\r\nWorld's Best AI-Native Threat Intelligence\r\nRecently Cyble Research Labs has come across another malicious android app disguised as HAMRAAZ. The\r\nHAMRAAZ is an android application developed for Indian Army Personnel.  The TAs have added malicious packages\r\ninto the HAMRAAZ app.\r\nWe analyzed the malicious sample of the HAMRAAZ Android app and identified that the malicious package used in\r\nARMAAN and HAMRAAZ is the same. Therefore we can conclude that the Threat Actors (TAs) behind both malware\r\nare the same.\r\nIn this section, we have provided details of malicious HAMRAAZ app:\r\nc0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425c\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 1 of 13\n\nWe observed the malicious HAMRAAZ app uses Pastebin URL: hxxps://pastebin[.]com/rA219A98 to communicate\r\nwith the C\u0026C IP: 173[.]212.254.151 as shown in the below figure.\r\nFigure 1 – C\u0026C Communication via Pastebin\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name:  ARMAAN\r\nPackage Name: in.gov.armaan\r\nSHA256 Hash: 80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0\r\nFigure 2 shows the metadata information of the application.\r\nFigure 2 – App Metadata Information\r\nThe below figure shows the application icon and name displayed on the Android device.\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 2 of 13\n\nFigure 3 – App Icon and Name\r\nThe malware requests for Aadhar numbers, which is also a feature of the legitimate ARMAAN application, as shown in\r\nthe figure below.\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 3 of 13\n\nFigure 4 – App Requests KYC Documents\r\nWhen the user inputs the AADHAAR number, the malware communicates with the official ARMAAN server to verify\r\nthe account, as shown below.\r\nFigure 5 – App Communicates to Legitimate Server\r\nOn comparing the legitimate ARMAAN application and the modified malicious ARMAAN application, we identified\r\nthat the TAs have added an extra package containing malicious code, as shown in the figure below.\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 4 of 13\n\nFigure 6 – Added Source Code Package in Malicious App\r\nManifest Description\r\nThe malware requests the user for 22 different permissions. Out of these, it abuses ten permissions. These dangerous\r\npermissions are listed below.\r\nPermissions Description\r\nREAD_SMS Access SMSes in the device database (DB).\r\nRECEIVE_SMS Intercept SMSes received on the victim’s device\r\nREAD_CALL_LOG Access Call Logs\r\nREAD_CONTACTS Access phone contacts.\r\nREAD_PHONE_STATE\r\nAllows access to phone state, including the current\r\ncellular network information, the phone number and the\r\nserial number of the phone, the status of any ongoing\r\ncalls, and a list of any Phone Accounts registered on the\r\ndevice.\r\nRECORD_AUDIO\r\nAllows the app to record audio with the microphone,\r\nwhich the attackers can misuse.\r\nACCESS_COARSE_LOCATION\r\nAllows the app to get the approximate location of the\r\ndevice network sources such as cell towers and Wi-Fi.\r\nACCESS_FINE_LOCATION\r\nAllows the app to get the device’s precise location\r\nusing the Global Positioning System (GPS).\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 5 of 13\n\nACCESS_BACKGROUND_LOCATION Allows an app to access location in the background.\r\nACCESS_WIFI_STATE\r\nAllows the app to get information about Wi-Fi\r\nconnectivity.\r\nWe observed added services and receivers entries in the manifest file of the malicious app, as shown in Figure 7.\r\nFigure 7 – Added Entries in Manifest\r\nIt is also observed in the manifest that the TAs have added dangerous permissions entries such as READ_CONTACTS,\r\nREAD_CALL_LOG, RECORD_AUDIO, ACCESS_COARSE_LOCATION, etc. in modified malicious ARMAAN\r\napplications.\r\nFigure 8 – Added Permissions Entry in Malicious APP\r\nSource Code Review\r\nOur static analysis indicated that the malware steals sensitive data such as Contacts, SMSes, and Call logs, besides\r\nrecording audio and taking pictures from the camera, etc., on commands from the C\u0026C.\r\nThe malware uses a fixed hardcoded array containing the IP’s ASCII values: 173[.]212.220.230 and port: 3617 Details.\r\nThe malware then converts and uses them for its C\u0026C communication, as shown in Figure 9.\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 6 of 13\n\nFigure 9 – Malware Communication\r\nThe getAlluserInfo() method has been used to collect the user’s device information such as phone number, device\r\nmanufacturer’s details, etc., from the device, as shown in Figure 10.\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 7 of 13\n\nFigure 10 – Collects User’s Information\r\nThrough the getAllSMS() method, we identified that the malware collects SMSs data from the device, as shown in the\r\nbelow figure.\r\nFigure 11 – Code to Collect SMSs\r\nThe method getAllContacts() has been used to collect Contacts data from the device, as shown below.\r\nFigure 12 – Code to Collect Contacts Data\r\nMethod getAllCallLogs() depicts the malware’s ability to collect Call logs data from the device. Refer to Figure 13.\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 8 of 13\n\nFigure 13 – Code to Collect Call logs\r\nThe code snippet shown in the below image depicts the malware’s ability to collect the device’s location data from the\r\ndevice.\r\nFigure 14 – Collects Location Data from the Device\r\nThe image shown below showcases the malware’s code that collects and sends images from the WhatsApp directory in\r\nthe device to the server on commands from the TAs.\r\nFigure 15 – Steals Images from WhatsApp Directory\r\nThe method sentMicRecording() shown in the below image depicts the malware’s ability to record mic and send the\r\nrecorded data to the server on the TAs command. After the data is sent, the malware deletes the file.\r\nFigure 16 – Records Mic\r\nThe below figure represents the malware’s ability to capture images from the front and back camera and send the\r\nrecorded data to the server on the TAs command.\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 9 of 13\n\nFigure 17 – Capture Images from Front and Back Camera\r\nThe malware collects the document files from the device through the remainingDocumentFiles() method shown in the\r\nfigure below.\r\nFigure 18 – Code to Collect Document Files\r\nBelow are the commands used by the TA to control the infected device:\r\nCommand Description\r\nD%r6t* Get SMS data\r\ns%7n@2 Get Contacts data\r\ni*g4#3 Get Call logs data\r\nO@y7J\u0026 Start mic recording\r\n5w$I!7 Get document files\r\n1^R$4t Get images from the WhatsApp folder\r\nj*7e@4 Click photos from the device camera\r\nA website with the domain name hxxps://armaanapp[.]in was registered around a year ago. It seems that TAs used this\r\nwebsite to deliver malicious versions of the ARMAAN application, as shown in the below figure below.\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 10 of 13\n\nFigure 19 – Fake Website\r\nConclusion\r\nThe modified, malicious ARMAAN and HAMRAAZ apps pose a serious threat to the Indian Armed Forces. It can\r\nperform RAT activities with the potential to steal Indian Army personnel’s sensitive data, including contacts, call logs,\r\nSMSs, Location, and files from external storage, in addition to the ability to record sensitive audio.\r\nTAs constantly adapt their methods to avoid detection and find new ways to target users through increasingly\r\nsophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into\r\ninstalling them. This situation makes it imperative for users to install applications only after verifying their authenticity.\r\nApps should only be installed exclusively via the official Google Play Store and other trusted portals to avoid such\r\nattacks.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nHow to prevent malware infection?\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops,\r\nand mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nHow to identify whether you are infected?\r\nRegularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.\r\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.\r\nWhat to do when you are infected?\r\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile\r\nData.\r\nPerform a factory reset.\r\nRemove the application in case a factory reset is not possible.\r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset.\r\nWhat to do in case of any fraudulent transaction?\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 11 of 13\n\nIn case of a fraudulent transaction, immediately report it to the concerned bank.\r\nWhat should banks do to protect their customers?\r\nBanks and other financial entities should educate customers on safeguarding themselves from malware attacks\r\nvia telephone, SMSs, or emails. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Mean.\r\nInitial Access T1444 Masquerade as Legitimate Application\r\nExecution T1575 Native Code\r\nCollection T1433 Access Call Log\r\nCollection T1412 Capture SMS Messages\r\nCollection T1432 Access Contact List\r\nCollection T1429 Capture Audio\r\nCollection T1512 Capture Camera\r\nCollection T1533 Data from Local System\r\nCollection T1430 Location Tracking\r\nCommand and Control T1436 Commonly Used Ports\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0 SHA256\r\nMalicious\r\nARMAAN\r\nAPK\r\n173[.]212.220.230:3617\r\nIP\r\nAddress\r\nMalware\r\nCommunication\r\nIP\r\nhxxps://pastebin[.]com/VfRCefzG\r\nPastebin\r\nURL\r\nUsed to provide\r\nC\u0026C IP to\r\nMalicious\r\nARMAAN App\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 12 of 13\n\nc0a3a2401b966c1fb73453c5675ff7da2ef777ab040ff9af5ffdbb79dbeb425c SHA256\r\nMalicious\r\nHAMRAAJ\r\nAPK\r\n173[.]212.254.151\r\nIP\r\nAddress\r\nMalware\r\nCommunication\r\nIP\r\nhxxps://pastebin[.]com/rA219A98\r\nPastebin\r\nURL\r\nUsed to provide\r\nC\u0026C IP to\r\nMalicious\r\nHAMRAAZ\r\nApp\r\nSource: https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nhttps://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/"
	],
	"report_names": [
		"indian-army-personnel-face-remote-access-trojan-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434020,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f63a71fdd8c4e81647a0bb482a80c697984adb48.pdf",
		"text": "https://archive.orkl.eu/f63a71fdd8c4e81647a0bb482a80c697984adb48.txt",
		"img": "https://archive.orkl.eu/f63a71fdd8c4e81647a0bb482a80c697984adb48.jpg"
	}
}