Sophos Virus Removal Tool Detects and Removes Computer Threats Including Malware, Viruses, Ransomware, Worms, Trojans and Rootkits. Works Alongside Your Existing Antivirus.
SophosLabs has discovered a small cluster of Trojanized versions of Android apps, mainly marketed to people who live in Pakistan. Someone has modified these otherwise legitimate apps (clean versions are available for download on the Google Play Store) to add malicious features that seem completely focused on covert surveillance and espionage.
- W32/FakeFire-F - Viruses and Spyware - Advanced Network Threat Protection ATP from Targeted Malware Attacks and Persistent Threats sophos.com - Threat Center. Business Products. ENDPOINT PROTECTION. Intercept X Endpoint.
- Security and privacy for the entire family in one user-friendly product. Protect your Windows PCs, Macs, iPhones, iPads, and Android phones.
The modified apps look identical to their legitimate counterparts, and even perform their normal functions, but are designed to, initially, profile the phone, and then download a payload in the form of an Android Dalvik executable (DEX) file. The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user’s contact list and the full contents of SMS messages. The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe.
The selection of apps is highly peculiar, as they are neither the most popular, nor particularly unique, apps. There’s no indication that the publishers of the original apps are aware that these Trojanized versions even exist. The highest-profile app Trojanized in this way is the Pakistan Citizen Portal app, published by the government of Pakistan, but the Trojanized version never appeared in any legitimate market, as far as we know. (SophosLabs made multiple attempts to disclose this information to the government of Pakistan, the publisher of the app, prior to publication.)
Virustotal records indicated that at least one of the malware samples had been hosted at the website pmdu.info, a domain registered for the first time in early August of this year. A TLS certificate was issued to the site on August 9th. The site appears to be a very good mimicry of a Google Play Store page blended with elements from the real Pakistan Citizen Portal page hosted by the Pakistani government. It isn’t perfect, though: its banner image at the top of the page is broken, cutting off the right edge of some text.
And the website has an interesting take on copyright.
The Pakistan Citizen Portal app was created in 2019 by a government agency called the PMDU, but its real website falls under the .gov.pk domain, hosted on its own territory. This site was hosted on the IP address 5.2.78.240, an IP address that geolocates to the Netherlands.
The .info page has two buttons, labeled Google Play and Download App, but the source code for the site reveals that no matter which link you click, you get the same APK file hosted on the .info domain – the malicious version.
While digging around for links to the .info version of the domain, we stumbled upon a reference to the domain hosting the malware in a surprising location: Atop the page for an official Pakistani governmental department, the Trading Corporation of Pakistan (or TCP).
This banner appeared atop the TCP website for several weeks.
The text of the domain name hosting the malicious Android app was prominently displayed in one of a series of rotating banners atop the web page for this division of the country’s Ministry of Commerce. The link was not clickable, as the entire thing is one large static image.
Targets of the malware may have received links via SMS messages or email instructing them to download the app from the fake Pakistan Citizen Portal webpage. Why someone would then deface a web page to add the bogus domain is harder to understand.
Complicating matters, on January 10, 2021, as we prepared to publish this story, the TCP webpage was replaced with just a single line of text: Hacked by 9bandz
A cursory search for this name revealed at least 93 websites that have been identically defaced, their contents replaced with a similar message since October, 2020. A user of a crimeware forum with a user with the same name also posted this advertisement for “selling government web shells with full access to directories and files” in December.
While there’s no evidence tying this action to the person who claimed the defacement, it’s hard to ignore the correlation.
More Trojanized apps
In addition to the official Pakistan Citizen Portal (com.govpk.citizensportal) app, we also found modified versions of a muslim prayer-clock app called Pakistan Salat Time (com.tos.salattime.pakistan); an app used to price-compare mobile phone plans called Mobile Packages Pakistan (com.blogspot.istcpublishers.mobilepackagespakistan); a utility that can check a phone’s SIM card for validity called Registered SIMs Checker (com.siminformation.checker), and a maliciously modified version of the app published by TPL Insurance (com.tpl.insuranceapp), a company that describes itself as “the first insurance company in Pakistan to sell general insurance products directly to the consumer.”
One anomalous app we could find no specific benign analogue of called itself Pakistan Chat (com.PakistanChatMessenger). This app appears to leverage the API of an otherwise legitimate chat service called ChatGum, and connects to a ChatGum server, but also conducts covert surveillance and exfiltration of data from the user’s phone.

The apps all feature, as their primary set of functions, code that appears to be focused on espionage and covert data exfiltration: When run, the apps initially send the device’s unique IMEI identifier and a timestamp along with a username and password combination (a# and def, respectively), to a command-and-control (C2) server by means of an HTTP POST request to the server.
Immediately after submitting this information, the app retrieves a DEX payload, then begins in earnest to HTTP POST a series of data bursts. In most cases the payload was named class.dex, but the Trojanized TPL Insurance app, retrieves a payload named class_tpl.dex.
After the app loads the DEX file payload, it begins a series of uploads of data to its C2. The malware sends detailed profile information about the phone, location information, the user’s full contact list, the contents of text messages, call logs, and the full directory listing of any internal or SD card storage on the device.
We left the Pakistan Salat Time running on a test device for several days, but did not interact with the phone during that time; Four days after installing the app, when we unlocked the phone, the app began exfiltrating at a rapid pace, transmitting not only the contents of messages, but every one of a directory full of screenshots created in the course of this research.
The Pakistan Citizen Portal app prompts the user to enter their national ID credentials, such as their national identity card (CNIC) number, their passport details, and the username and password for Facebook and other accounts. In tests, this information was exfiltrated along with the rest.
In each sample we ran, when we first installed the spyware, it hints at its intentions by requesting some fairly privacy-invasive permissions, such as the ability to read SMS messages and contact lists, that allow it to read the relevant data on a victim’s device.
While a few of these permissions might be appropriate under limited circumstances, depending on the app, the sheer number of them in apps that seemingly have no reason to ask for them — for instance, in the Salat Time (muslim prayer clock) app shown below — may tip the threat actor’s hand and make it easier for an attentive user to notice the excessive permissions requests, and cancel the installation.
Under the hood
The AndroidManifest.xml file in an app declares things like the names of services and receivers. In these spyware apps, the manifest file listed several additional services and receivers that appear to reference a section of the malicious code that we couldn’t find. We suspect these might be reserved for features that have yet to be implemented. The service names “SoundRecordService” and “CallRecordService” seem to be in character with the espionage focus of the app.
In the course of uploading the data from a phone, the malware received a JSON-format configuration in plain text that references these features.
The spyware components take the form of one of two additional packages compiled into the final app. In the malicious apps, these are named com.android.volley or com.android.update. This may be an attempt to disguise the contents of the libraries; there’s a completely benign HTTP library package named com.android.volley made by Google and, well, the presence of an Android update package comes across as completely innocuous, unless you look under the hood.
Designed for stealth
The creators of this app are fixated on concealment and stealth; Not only do they mimic legitimate apps, and disguise their malicious code as legitimate libraries, but they also encrypt sensitive strings using AES and a hardcoded key. The strings include the command-and-control (C2) server addresses, and the URL paths used by the spyware to exfiltrate data and request instructions.
To remain stealthy, many of the samples contained minimal spying functionality initially. That comes later, when the malware APK quietly downloads and runs a compiled .dex Android binary hosted on the C2 server. This .dex file contains most of the spying and exfiltration code the malware uses, which means this code doesn’t get swept up in initial scans of the apps. This downloadable .dex method also enables the author(s) to seamlessly update the functionalities in the spyware.
In keeping with the stealthy theme, the spyware XORs most of the data it transmits back to the C2 server. Upon exfiltrating the collected data, the apps may display a dialog box or warning message that says something like “The system is under necessary maintenance, please try later.”
The operators of this malicious network also registered domain names that seem to correlate with the apps they mimic. The Pakistan Chat app (as well as a few others) connect to the domain pakchat.online, hosted on a server in Latvia, while the fake TPL Insurance app uploads its stolen data to, and retrieves the DEX file from, the domain tplinsurance.xyz, hosted on a server in Bulgaria. The Pakistan Salat Time app, unusually, used a hostname from a dynamic DNS service, kv33.zapto.org, as its C2. That domain resolved to an IP address based in the USA.
Watch where you get your apps
This spyware is under active development. In the course of pursuing this research, SophosLabs also found what appeared to be test versions of the spyware, presumably used by the malware author(s) to test before they merged the code with clean apps.
In the current Android ecosystem, apps are cryptographically signed as a way to certify the code originates with a legitimate source, tying the app to its developer. However, Android doesn’t do a good job exposing to the end user when a signed app’s certificate isn’t legitimate or doesn’t validate. As such, users have no easy way of knowing if an app was indeed published by its genuine developer.
This allows threat actors to develop and publish fake versions of popular apps. The existence of a large number of app stores, and the freedom of users to install an app from practically anywhere makes it even harder to combat such threats.
To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Developers of popular apps often have a web site, which directs the users to the genuine app. Users should verify if the app was developed by its genuine developer. We also advise users to consider installing an antivirus app on their mobile device such as Sophos Intercept X for Mobile that defends their device and data from such threats.
Sophos Intercept X for Mobile detects this spyware as Andr/Spy-BDD. SophosLabs has published indicators of compromise on its Github page.
Sophos Web Security and Control Test Site
This test site contains pages classified by SophosLabs for the purpose of testing our web security and control products. Note that some pages are classified as potentially offensive or dangerous however the page content itself should be considered safe for viewing in all circumstances.
Sophos Sandstorm Test Files
These files enable testing and demos of Sophos Sandstorm on Sophos products enabled with Sandstorm. They are harmless files with active content that will trigger Sophos Sandstorm analysis.
SandStorm Test File 1
SandStorm Test File 2 (email only)
Sophos HIPS Test Files
These files enable testing and demos of Sophos behavior protection (HIPS) feature for endpoint products. The executable is a harmless file that will trigger a behavior-based Sophos detection HPmal/Eicar-A.
Sophos HIPS Test (zip)
Sophos HIPS Test (exe)
Adult or Sexually Explicit
Includes sites for adult products including sex toys, CD-ROMs, and videos; child pornography and pedophilia (including the IWF list); adult services including video-conferencing, escort services, and strip clubs; erotic stories and textual descriptions of sexual acts; explicit cartoons and animation; online groups, including newsgroups and forums that are sexually explicit in nature; sexually-oriented or erotic sites with full or partial nudity; depictions or images of sexual acts, including with animals or inanimate objects used in a sexual manner; sexually exploitive or sexually violent text or graphics; bondage, fetishes, genital piercing; naturist sites that feature nudity; and erotic or fetish photography, which depicts nudity.
Note: We do not include sites regarding sexual health, breast cancer, or sexually transmitted diseases (except those with graphic examples).
Advertisements and Pop-ups
Includes sites of banner ad servers, sites with pop-up advertisements, and sites with known adware.
Note: Sophos's advanced categorization data uses the most current technical definition for Adware, and thus recognizes the difference between non-malicious adware, such as 'cookies' and more serious Spyware.
Alcohol or Tobacco
Includes sites that promote or distribute alcohol or tobacco products for free or for a charge.
Anonymizers
Includes sites that operate proxy services, or offer proxy software, with the specific intent of defeating security and control.
Arts
Includes sites for museums, galleries, artist sites (sculpture, photography, etc.), performing arts (theater, vaudeville, opera, symphonies, etc.), dance companies, studios, and training; book reviews and promotions; and variety magazines and poetry.
Blogs and Forums
Includes sites of weblogs (blogs), newsgroups, and opinion or discussion forums.
Business
Includes general business corporate web sites, international and multi-national large general business corporate sites, business associations, and basic business sites, such as FedEx, that enable organizations to manage their necessary daily business tasks.
Note: Business sites that fit more appropriately into another related category, such as Finance or Travel, will be categorized in those categories.
Call Home
Includes sites identified to be used for command & control servers (callhome, C2) by malware running on infected computers.
Chat
Includes sites of web-based chat and instant message servers.
Computing and Internet
Includes sites of reviews, information, buyer's guides of computers, computer parts and accessories, computer software and internet companies, industry news and magazines, and pay-to-surf sites.
Criminal Activity
Includes sites for advocating, instructing, or giving advice on performing illegal acts; tips on evading law enforcement; and lock-picking and burglary techniques.
Custom
Includes sites categorized for use with a custom policy. For example, you could set sites that you want to be always approved by adding them to your local classifications list, and setting their Risk class to Trusted and their Site category to Custom.
Downloads
Includes sites for downloadable (non-streaming) movie, video or sound clips; downloadable PDA software, including themes and graphics; freeware and shareware sites; personal storage or backup sites; and clip art, fonts and animated .gif pages.
Note: This category does not include update sites such as those for operating systems, anti-virus agents, or other business-critical programs.
Education
Includes sites for educational institutions, including pre-schools, elementary, secondary, and high schools and universities; educational sites at the pre-school, elementary, secondary, and high school and university levels; distance education and trade schools, including online courses; and online teacher resources (lesson plans, etc.).
Eicar
The Standard Anti-Virus Test File.
Entertainment
Includes sites about television, movies, music and video programming guides; online magazines and reviews of the entertainment industry; celebrity fan sites; broadcasting firms and technologies (satellite, cable, etc.); horoscopes; jokes, comics, comic books, comedians, or any site designed to be funny or satirical; online greeting cards; and amusement and theme park sites.
Fashion and Beauty
Includes sites of fashion or glamor magazines, online beauty products, and cosmetics.
Finance and Investment
Includes sites for stock quotes, stock tickers, and fund rates; online stock or equity trading; online banking and bill-pay services; investing advice or contacts for trading securities; money management or investment services or firms; general finances and companies that advise about finances; and accountancy, actuaries, banks, mortgages, and general insurance companies.
Food and Dining
Includes sites for recipes, cooking instruction and tips, food products, and wine advisors; restaurants, cafes, eateries, pubs, and bars; and food and drink magazines and reviews.
Gambling
Includes sites of online gambling or lottery web sites that invite the use of real or virtual money; information or advice for placing wagers, participating in lotteries, gambling, or running numbers; virtual casinos and offshore gambling ventures; sports picks and betting pools; and virtual sports and fantasy leagues that offer large rewards or request significant wagers.
Note: Casino, hotel, and resort sites that do not feature online gambling or provide gaming tips are categorized under Travel.
Games
Includes sites for game playing or downloading, game hosting or contest hosting, tips and advice on games or obtaining cheat codes ('cheatz'), and journals and magazines dedicated to online game playing.
Government
Includes sites for local, state, federal and international government sites, and government services, such as taxation, armed forces, customs bureaus, and emergency services.
Hacking and Computer Crime
Web pages that provide 'how-to' directions, or otherwise enable, fraud, crime, or malicious activity that is computer oriented. Web pages related to computer crime include malicious hacking information or tools that help individuals gain unauthorized access to computers and networks (root kits, kiddy scripts). Also included are other areas of electronic fraud such as dialer scams and illegal manipulation of electronic devices. Illegal software does not fall under this category; see 'Illegal Software'.
Health and Medicine
Includes sites for prescription medicines; medical information and reference about ailments, conditions, and drugs; general health, such as fitness and well-being; medical procedures, including elective and cosmetic surgery; dentistry, optometry, and other medical-related sites; general psychiatry and mental well-being sites; psychology, self-help books, and organizations; promoting self-healing of physical and mental abuses, ailments, and addictions; alternative and complementary therapies, including yoga, chiropractic, and cranio-sacral; and hospital and medical insurance sites.
Hobbies & Recreation
Includes sites for recreational pastimes, such as collecting, gardening, and kit airplanes; outdoor recreational activities, such as hiking, camping, and rock climbing; tips or trends focused on a specific art, craft, or technique; online publications on a specific pastime or recreational activity; online clubs, associations, or forums dedicated to a hobby; traditional games, such as board games and card games, and their enthusiasts; and animal and pet related sites, including breed-specific sites, training, shows, and humane societies sites.
Hosting Sites
Includes web sites that host business and individuals' web pages, for example GeoCities, earthlink.net, and AOL.
Illegal Drugs
Includes sites for recipes, instructions or kits for manufacturing or growing illicit substances for purposes other than industrial usage; glamorizing, encouraging, or instructing on the use of or masking the use of alcohol, tobacco, illegal drugs, or other substances that are illegal to minors; information on 'legal highs', including glue sniffing, misuse of prescription drugs, or abuse of other legal substances; distributing illegal drugs free or for a charge; and displaying, selling, or detailing the use of drug paraphernalia.
Infrastructure
Includes sites for content delivery networks, XML reference schemas, web analytics and statistics services, transaction servers, and corporate image servers.
Intimate Apparel and Swimwear
Includes sites for lingerie, negligee, and other intimate apparel modeling; swimwear modeling; models' fan pages; modeling information and agencies; and fitness models and sports celebrities sites.
Intolerance and Hate
Includes sites that advocate or incite degradation or attack of specified populations or institutions based on associations such as religion, race, nationality, gender, age, disability, or sexual orientation; sites that promote a political or social agenda that is supremacist in nature and exclusionary of others based on their race, religion, nationality, gender, age, disability, or sexual orientation; holocaust revisionist or denial sites and other revisionist sites that encourage hate; coercion or recruitment for membership in a gang or cult; militancy and extremist sites; and flagrantly insensitive or offensive material, including those with a lack of recognition or respect for opposing opinions and beliefs.
Note: We do not include news, historical, or press incidents that may include the above criteria (except in graphic examples).
For the purposes of this category, a gang is defined as: a group whose primary activities are the commission of felonious criminal acts, which has a common name or identifying sign or symbol, and whose members individually or collectively engage in criminal activity in the name of the group. A cult is defined as: a group whose followers have been deceptively and manipulatively recruited and retained through undue influence such that followers' personalities and behavior are altered; a group in which leadership is all-powerful, ideology is totalistic, and the will of the individual is subordinate to the group; and a group that sets itself outside of society.
Job Search and Career Development
Includes sites of employment agencies, contractors, job listings, career information, career searches, and career-networking groups.
Kid's Sites
Includes child-oriented sites and sites published by children.
Malware

Includes sites identified to be hosting malicious content, representing a significant security concern.
Motor Vehicles
Includes sites for car reviews, vehicle purchasing or sales tips, and parts catalogs; auto trading, photos, and discussion of vehicles including motorcycles, boats, cars, trucks, and RVs; journals and magazines on vehicle modification, repair, and customization; and online automotive enthusiast club sites.
News
Includes online newspapers, headline news sites, newswire services, personalized news services, and weather sites.
Peer-to-Peer
Includes peer-to-peer file sharing clients and peer-to-peer file sharing servers.
Personals and Dating
Includes singles listings, matchmaking and dating services, advice for dating or relationships, and romance tips and suggestions sites.
Philanthropic and Professional Organizations
Includes sites of philanthropic and charity organizations, environmental organizations, professional associations, labor unions, and social organizations.
Phishing or Fraud
Includes sites involved in phishing and telephone scams, service theft advice sites, and plagiarism and cheating sites, including the sale of research papers.
Photo Searches
Includes sites that provide resources for photography, image searches, online photo albums, digital photo exchanges, and image hosting.
Politics
Includes sites for political parties; political debate, canvassing, election information, and results; and conspiracy theory and alternative government view sites that are not hate-based.
Proxies and Translators
Includes sites for remote proxies or anonymous surfing, search engine caches that circumvent filtering, and web-based translation sites that circumvent filtering.
Real Estate
Includes sites for home, apartment, and land listings; rental or relocation services; tips on buying or selling a home; real estate agents; and home improvement sites.
Reference
Includes sites for personal, professional, or educational reference; online dictionaries, maps, and language translation sites; census, almanacs, and library catalogs; and topic-specific search engines.
Religion
Includes sites of churches, synagogues, and other houses of worship; any faith or religious belief sites, including non-traditional religions such as Wicca and witchcraft.
Reputation
Includes files identified by Sophos as having a low or medium reputation.
Ringtones and Mobile Phone Downloads
Includes sites of providers of mobile phone downloads, including ringtones, logos, backgrounds, screensavers, and games.
Search Engines
Includes general search engines, such as Yahoo, AltaVista, and Google.
Sex Education
Includes sites with pictures or text advocating the proper use of contraceptives; sites relating to discussion about the use of the pill, IUDs, and other types of contraceptives; and discussion sites on how to talk to your partner about diseases, pregnancy, and respecting boundaries.
Note: Not included in the category are commercial sites that sell sexual paraphernalia. These sites are typically found in the Adult category.
Shopping
Includes sites for department stores, retail stores, company catalogs, and other sites that allow online consumer shopping, sites for online auctions, online downloadable product warehouses, specialty items for sale, and freebies or merchandise giveaways.
Society and Culture
Includes sites on home life and family-related topics, including weddings, births and funerals; parenting tips and family planning; non-pornographic gay, lesbian, and bisexual issues; foreign cultures and socio-cultural information; and non-explicit tattoo and piercing parlors.
Spam URLs
Includes URLs found in spam, particularly on these topics: computing, finance and stocks, entertainment, games, health and medicine, humor and novelties, personal and dating, products and services, shopping, and travel.
Sports
Includes sites for team or conference web sites; national, international, college, professional scores and schedules; sports-related online magazines or newsletters; and fantasy sports and virtual sports leagues that are free or low-cost.
Spyware
Includes sites that provide or promote information gathering or tracking that is unknown to, or done without the explicit consent of, the end user or the organization, including sites that carry malicious executables or viruses, third party monitoring, and other unsolicited commercial software, spyware, and malware 'phone home' destinations.
Note: The technical definition of Spyware used for this category may not exactly match the definition used elsewhere by Sophos. This category focuses on filtering malicious and tracking content, not simply adware and cookies. For non-malicious adware filtering, please block the Advertisements and Pop-ups category.

Streaming Media
Includes sites for streaming media files or events (any live or archived audio or video file), Internet TV and radio, non-explicit personal webcam sites, telephony sites that allow users to make calls via the internet, and VoIP services.
Tasteless or Offensive
Includes sites that feature offensive or violent language, including through jokes, comics, or satire, and excessive use of profanity or obscene gesticulation.
Travel
Includes sites of airlines and flight booking agencies, accommodation information, travel package listings, city guides and tourist information, and car rentals.
Violence
Includes sites portraying, describing or advocating physical assault against humans, animals, or institutions; depicting torture, mutilation, gore, or horrific death; advocating, encouraging, or depicting self-endangerment, or suicide, including through eating disorders or addictions; instructions, recipes, or kits for making bombs or other harmful or destructive devices; sites promoting terrorism; and excessively violent sports or games, including videos and online games.
Note: We do not block news, historical, or press incidents that may include the above criteria, except those that include graphic examples.
Weapons
Includes sites with online purchasing or ordering information, including lists of prices and dealer locations; any page or site predominantly containing, or providing links to, content related to the sale of guns, weapons, ammunition or poisonous substances; displaying or detailing the use of guns, weapons, ammunition or poisonous substances; and clubs which offer training on machine guns, automatics, other assault weapons, and sniper training.
Note: Weapons are defined as something (as a club, knife, or gun) used to injure, defeat, or destroy.
Web-Based Email
Sophos Utm Anti Spyware
Includes sites for web-based e-mail accounts and messaging sites.
Sophos Malware Removal
Learn more about our web security and control products at our main sophos.com website.
