You are here
Home > Hacking > Malware > SmeshApp: Pakistan spied on Indian military personnel using an app

SmeshApp: Pakistan spied on Indian military personnel using an app

The recent attack on the Pathankot air force base, resulting in at least 6 deaths, was carried out with a marked degree of foresight and knowledge of the air base and has just come to light that part of that intelligence gathered fot that attack was due to an app called SmeshApp.

Goolge on Tuesday removed the malicious SmeshApp from its playstore after CNN-IBN investigation revealed that Pakistan was using it to snoop on Indian military personnel. The app was used to access crucial information on troop movements and counter terrorism operations.

Honeytraps on Facebook

Pakistan intelligence apparently set up fake account on Facebook(at least 10, reportedly) and established a honeytrap. The account would be used to entice soldiers into installing SmeshApp on their phones, Accounts related to Air Force, Navy Border Security Force(BSF) and Central Industrial Forces were trageted.

These honeytraps apparently bore an air of patriotism and legitimacy by ensuring that the friends list was filled with retired sildiers. Basically, the more soldiers the account ensnared, the more legitimate the accounts seemed.

Once trapped and SmeshApp installed, Pakistani intelligence acquired full access to all the personal data related to that soldier. This includes real-time updates of his location and even the ability to record the environment via the microphone.

How does SmeshApp work?

On the surface, SmeshApp is nothing more than a clone if WhatsApp or Telegram. As with most apps in the Google Play Store, the app asks for permission to access your contacts, photos and other such personal information.

The app then sends requests to all members in the infected phone’s contact list, building up a database of users and gathering information. This information can be in the form of photos, location data, messaging data, e-mail, browsing data, etc. Basically, everything you do on your phone is transmitted to an unknown server, which is now a slave to the app.

In the case of SmeshApp, the server was apparently hosted in Germany and was operated by someone from Karachi. Sadly, the information that was leaked contained vital information on troop movements and counter-terrorism operations.

If you really think about it, what SmeshApp did was nothing unusual. As mentioned earlier, most apps on the Play Store and App Store try to gather as much personal information as they can. Data, is after all, priceless. Services like Telegram and Whatsapp at least take the trouble to encrypt the data on their servers, at least, they claim they do. Can you know for sure?

SmeshApp had apparently been downloaded over 500 times and boasted of a rating of 4.0 at the time it was pulled from the store. Google issued a statement saying, “We remove applications that violate our policies, such as apps that are illegal, deceptive or that promote hate speech once notified. As a policy, we don’t comment on individual applications.”

What can the we do?

Apps like SmeshApp can and will flourish on app stores across platforms. Information is king and most app-makers depend on monetising your information to make money. If you really wanted to, even you could make an app like SmeshApp in record time and have it published.

As Pavan Duggal, an advocate specializing in the field of cyberlaw, pointed out to CNN-IBN, the only real defence is “individual due diligence.” In other words, you need to exercise caution on a personal level.

The army itself doesn’t seem to have any guidelines in place with regards to the online presence of their soldiers and it’s high time that they did. Simple steps such as the use of recommended apps, guidelines limiting the sharing of sensitive information, etc., need to be implemented. Pavan Duggal also talks about a unified cyber command, which has been in the works since a great many years.

Over the years, mobile phones have transformed from a simple device for making calls to a portable camera, a computer, and now a full-fledged IOT device that has access to virtually every aspect of your life. Care must be taken when using it, especially in such sensitive cases as military operations.

Here is news video by CNN-IBM

Jay Prakash Kumar
If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with me directly on Facebook or Twitter. Jay Prakash is a founder of Professional Hacker, Technical Writer, Software Developer, Security Analyst and Technology Enthusiast with a keen eye on the Cyber-world and other technology-related developments.