A watering hole attack has been discovered on the Hunza News website, a regional news website in Pakistan that focuses on news about the Gilgit-Baltistan region. This attack specifically targets Urdu-speaking users in the region and utilizes a newly identified spyware called Kamran .
The spyware        , Kamran          , is distributed through the Urdu version of the Hunza News app, which users are prompted to install when they access the website on their mobile devices. Kamran is a malicious app that tricks users into granting permissions to access various types of data, including contacts  , calendar events   , call logs     , location information  , device files , SMS messages   , and images . It not only displays the content of the Hunza News website but also collects sensitive user data and uploads it to a command and control server . The spyware was active on the website from January 7 to March 21, 2023 , coinciding with a period of protests in Gilgit-Baltistan  . ESET researchers have identified 22 compromised smartphones , with five of them located in Pakistan  . Kamran was not available on the Google Play Store and was downloaded from an unknown source  .
The targeted approach of Kamran highlights the need for prompt action to protect affected users’ security and privacy , as it has the potential to harvest sensitive information , leading to privacy breaches and the misuse of personal content . Victims may remain unaware of the spyware’s presence , increasing the risk of prolonged data exposure . The attack has not been attributed to any known threat actor or group   . To mitigate such threats, ESET researcher Lukáš Štefanko emphasizes the importance of downloading apps only from trusted and official sources .