The malicious app variants obfuscate their operations by stealthily downloading a payload in form of an Android Dalvik executable (DEX) file, with the DEX payload containing the malicious features, which include ability to covertly exfiltrate sensitive data such as user's contacts and the full SMS messages contents.
Among the trojanized apps masquerading as legitimate apps are the Pakistan Citizen Portal, and a Muslim prayer-clock app known as Pakistan Salat Time, Registered SIMs Checker, Mobile Packages Pakistan, and TPL Insurance.
How the Trojanized apps Spy on Android users
On installation, the app would request some intrusive permissions, like the ability to location, access contacts, file system, microphone, and read SMS contents, which then allow it to gather personal data from a victim's device.
These apps all have one purpose, that is, to carry out espionage and exfiltrate data from a target device. Furthermore, the DEX payload in addition to sending the unique IMEI identifier, relays detailed profile information about the device, location, contact lists, call logs and the contents of text messages, with the listing of internal or SD card storage on the device.
The malicious apps after gathering this information then sends it to one of a number of command-and-control (C2) servers hosted in eastern Europe.
How to Safeguard against spying and covert espionage on Android phone
While Android apps are cryptographically signed to certify that the code originates with a legitimate source, thus tying the app to its developer, but exposing to end user when signed app's certificate isn't legitimate or not valid is still wanting on Android.
Therefore, Android users need to stick to trusted sources to download apps, verify if an app is actually built by a genuine developer, and scrutinize every app permissions carefully before installation.