Indifference, insufficient resources and inept governance are making Pakistanis sitting ducks for cybercriminals to prey on.

In a highly sophisticated and deceitful phishing attack in Pakistan recently, cybercriminals modified five legitimate Android apps to create fake versions that can spy on users.

The counterfeit apps include modified versions of the government app Pakistan Citizen Portal (PCP); the Pakistan Salat Time app (an Islamic prayer clock); the Mobile Packages Pakistan an app (used to price-compare mobile phone plans); an insurance company app, and a tool that can check a phone’s SIM card for validity.

Although PCP is the most popular app among these, the other apps may have been targeted as a kind of initial training and testing by hackers, according to Sophos. The apps incorporated phishing, spyware and social engineering.

According to A.K.M. Fazlur Rahman, Managing Director, SmartData Technologies: “We witnessed several similar incidents—from banking applications to other legitimate apps. Cybercriminals are using the app store as another strong channel to hack credentials and so on.” Rahman noticed that the hackers prompted users to visit pmdu.info, a phishing website identical to https://web.citizenportal.gov.pk/. They then lured users into downloading a fake app from pmdu.info instead of the legitimate app from the Google Play Store.

Fake vs real apps

Sophos researchers discovered that the hackers inserted malicious code into benign apps to create fake versions. These malicious apps covertly capture and exfiltrate personal details, messages, contacts, photos, location data, and highly sensitive passport and identity card information.

The fake versions look identical to their legitimate counterparts and even function normally. The exfiltrated data is subsequently sent to one of a small number of command-and-control servers. Some tampered apps carry a code for additional functionality that has not yet been activated, such as the ability to record phone calls or sounds in the vicinity of the phone.

Pankaj Jain, Chief Executive Officer, Panzer IT argued that this trend shows a lack of awareness and the lackluster security policies in government agencies: “It is a combined responsibility of governmental security agencies and users. Government must run detailed, nationwide programs on phishing training for every Internet user. This will help avert a lot of attacks and save a lot of money.”

According to Jain, the best way to control such phishing attacks is to run large-level awareness programs to train people to know which app, website or phone call is legitimate and which is not.

Sound advice for Pakistanis

Offering advice to the public, Sophos threat researcher Pankaj Kohli said: “Cyber adversaries target mobile phones not just to get their hands on sensitive and personal information, but because the data offers a real-time window into people’s lives, their physical location, movements, and even live conversations taking place within listening range of the infected devices. The best advice for protecting devices and data against spyware is to avoid clicking links to apps received via email or text messages.

“Download apps from legitimate markets like the Google Play Store, and when installing an unfamiliar app, beware of the installer asking for full access to the phone’s file system, SMS or email messages, or the ability to overlay other apps, and why the app needs those permissions.”

Users should also install reputable anti-malware on their PCs and mobiles and inform their family members be vigilant against malicious apps. Also, uninstall apps that are seldom used, and never share one-time passwords or click on unknown links.

SmartData Technologies’ Rahman noted that web developers can use various solutions to detect tampering and take the necessary actions. Another major step is to back up all data, format the device and reinstall the operating system from scratch.

The shaky road ahead

In Pakistan, publishers of the original apps can often be unaware of their apps being hijacked. It can be because the owners are not even maintaining the apps for any number of reasons. Or, a tech company could have developed the code and sold it to new owners who subsequently did not bother to check on the apps. Also, most app publishers in the country do not invest in the identification of copyright breaches.

For years, the country’s IT security industry has been pushing unsuccessfully for cybersecurity awareness with all IT users. While awareness alone will not resolve this issue, there should at least be a change in users’ mindset to practise cyber hygiene. IT security is no longer the sole responsibility of IT professionals, but something everyone should have a stake in.

Governments and the IT industry need to actively warn about fake apps, etc., but eventually, the process has to be built in with IT users.

According to Prabeer Sarkar, CEO, Dhaka Distributions, a cybersecurity provider in Bangladesh: “Most of the time, cybersecurity alerts are not treated seriously. No matter how insignificant it may seem, any cybercrime alert should be immediately considered for serious action and attendance. If not you, then someone else will be a victim.”

Ultimately, he noted, it should be the responsibility of app developers to introduce security authentications that are difficult to counterfeit or replicate.