External threat landscape management platform Cyfirma has reported that a malicious Android installation package is targeting Indian defense personnel. The campaign has been active since at least July 2021. The information was shared by the cybersecurity firm over the weekend. According to Cyfirma, the Android package kit file is a decoy copy of a promotion letter that lures victims into installing the malicious software. The app appears to run as an Adobe Reader application and uses the legitimate reader application icon or a look-alike to convince victims into falling for the scheme.
Once the malicious app is installed, it requests several permissions such as camera, microphone, internet, and storage access. According to Cyfirma, granting any one of these permissions could have disastrous effects on national security. Additionally, the threat group is linked to a variant of Spymax RAT, a remote access Trojan. The threat actors are allegedly deploying a Google Drive link that points to a PDF file containing a list of Indian defense personnel who were awarded higher positions. The link was shared via WhatsApp, Cyfirma says. The cybersecurity firm has not been able to link the campaign to any one threat actor group or organization.