Keypoints
- Kamran spyware was distributed via a DOWNLOAD APP button on the Hunza News site, appearing only on the Urdu mobile version.
- The malicious APK is identified as package com.kamran.hunzanews and signed with developer certificate SHA-1 DCC1A353A178ABF4F441A5587E15644A388C9D9C.
- Installation requires enabling “install from unknown sources” because the APK was hosted off‑store at https://hunzanews[.]net/wp-content/uploads/apk/app-release.apk.
- On grant of permissions the app collects contacts, SMS (including received), call logs, calendar events, location, installed apps, device info, and images.
- The malware enumerates image file paths, stores them in an images_db internal database, and uploads files and metadata to a hardcoded Firebase C2 over HTTPS.
- Kamran lacks remote background control; exfiltration happens only when the app is opened and it repeatedly resends data without tracking what was already sent.
- At least 22 Android devices were found compromised (five in Pakistan); ESET detects the threat as Android/Spy.Kamran.A.
MITRE Techniques
- [T1418] Software Discovery – Kamran obtains a list of installed applications. [‘Kamran spyware can obtain a list of installed applications.’]
- [T1420] File and Directory Discovery – Kamran lists image files on external storage. [‘Kamran spyware can list image files on external storage.’]
- [T1426] System Information Discovery – Kamran extracts device model, OS version, and system information. [‘Kamran spyware can extract information about the device, including device model, OS version, and common system information.’]
- [T1533] Data from Local System – Kamran exfiltrates image files from the device. [‘Kamran spyware can exfiltrate image files from a device.’]
- [T1430] Location Tracking – Kamran collects device location data. [‘Kamran spyware tracks device location.’]
- [T1636.001] Protected User Data: Calendar Entries – Kamran extracts calendar entries. [‘Kamran spyware can extract calendar entries.’]
- [T1636.002] Protected User Data: Call Logs – Kamran extracts call logs. [‘Kamran spyware can extract call logs.’]
- [T1636.003] Protected User Data: Contact List – Kamran extracts the device’s contact list. [‘Kamran spyware can extract the device’s contact list.’]
- [T1636.004] Protected User Data: SMS Messages – Kamran reads and intercepts SMS messages. [‘Kamran spyware can extract SMS messages and intercept received SMS.’]
- [T1437.001] Application Layer Protocol: Web Protocols – Kamran communicates with C2 via HTTPS. [‘Kamran spyware uses HTTPS to communicate with its C&C server.’]
- [T1481.003] Web Service: One-Way Communication – Kamran uses Google Firebase as its C2 platform. [‘Kamran uses Google’s Firebase server as its C&C server.’]
- [T1646] Exfiltration Over C2 Channel – Kamran exfiltrates collected data to its C2 over HTTPS. [‘Kamran spyware exfiltrates data using HTTPS.’]
Indicators of Compromise
- [File hash] malicious APK SHA‑1 – 0F0259F288141EDBE4AB2B8032911C69E03817D2 (Kamran spyware sample).
- [Package name] Android package – com.kamran.hunzanews (malicious app identifier).
- [Download URL] distribution URL – https://hunzanews[.]net/wp-content/uploads/apk/app-release.apk (APK hosted on Hunza News site).
- [Developer certificate] signing certificate – SHA‑1 DCC1A353A178ABF4F441A5587E15644A388C9D9C (used to sign malicious APK); legitimate Hunza News apps used SHA‑1 BC2B7C4DF3B895BE4C7378D056792664FCEEC591.
- [C2 domain/IP] command & control – [REDACTED].firebaseio[.]com, 34.120.160[.]131 (Firebase C2 hosted by Google LLC).
- [Distribution domain] compromised site – hunzanews[.]net (watering‑hole/distribution website).
Kamran technical procedure (rewritten):
The attackers embedded a malicious Android APK into the Hunza News site and exposed it via a DOWNLOAD APP button visible only on the Urdu mobile site. When a user taps the button the APK is downloaded from hunzanews.net (app-release.apk) and, because it is not on Google Play, the installation flow requires enabling “install from unknown sources” and granting runtime permissions that the app requests.
On first run Kamran presents a simple interface to display Hunza News content but requests broad permissions; once granted it enumerates installed apps and system info, crawls external storage for image file paths (storing results in an internal images_db), and reads protected data including contacts, SMS (received and stored), call logs, calendar entries, location, installed apps list, device info, and images. The collected data and image files are then uploaded via HTTPS to a hardcoded Firebase endpoint (https://[REDACTED].firebaseio[.]com / IP 34.120.160[.]131).
Kamran does not implement remote command execution or background persistence for exfiltration—data is sent only when the app is opened; it also does not track previously exfiltrated items, so it retransmits the same data along with any new items meeting its search criteria. The sample analyzed is signed with developer certificate SHA‑1 DCC1A353A178ABF4F441A5587E15644A388C9D9C and detected by ESET as Android/Spy.Kamran.A; investigators identified at least 22 compromised devices.