Apps being used for purposes that are less than noble is a common occurrence. However, the use of technology for peace time espionage hit a new low as Google has forcibly removed SmeshApp, from the Play Store. The app was reportedly being used by Pakistani intelligence agencies to spy upon Indian Army personnel.
As per reports coming in from various sources, the spyware was removed by Google, after it was discovered that the app was being used to collect crucial information from the devices being used by army personnel. The app continues to highlight a crucial drawback to softwares being overly open-sourced — illegal content coming up without any curation.
If you aren’t aware, apps which you see on Google’s Android Play Store aren’t really curated in any form whatsoever (except for that initial rating, given by developers themselves). This makes its a cakewalk for anyone wishing to publish almost all sorts of app on the store. On the contrary, Apple forces apps through intense scrutiny and an approval process, making it much more difficult for developers to publish apps.
As far as this ‘Smesh App’ is concerned, data was apparantly siphoned off via this app may have been responsible for a data leak that occurred right after the Pathankot terror attack as well.
So how could this happen and why did it took so long for the application to be recognized for what it was? More importantly, how could veterans of the army be unwittingly lured into parting with secrets they would never willingly reveal?
Apparently, agencies operating out of Pakistan, managed to do this via social networking, by taking help of a trick known as the honeytrap. These agencies set up a bunch of fake accounts on Facebook and started adding up soldiers in their friend list. While some may have declined the request coming from unknown women, others, flattered perhaps, accepted it. What’s more, these accounts were carefully created to appear legitimate as well as patriotic and indeed, had ex-soldiers in their contacts list.
Ironically, the more soldiers were snared, the more legitimate the account seemed. Once this was done and an initial contact between Pakistani handlers posing as beautiful women and members of the Indian Army was established, the next phase of the operation began — which involved getting the armymen to install SmeshApp on their smartphones.
On the surface, SmeshApp appeared like your regular, run-of-the-mill IM app and is quite similar to WhatsApp and Telegram. However, once the app was installed — and granted all sorts of permission by the user at the time of installation — it began transmitting all type of data, including photos, location data, messaging data, e-mail, browsing data, etc, to a distant server. The server in this case was based in Germany and was being operated by a Pakistani.
What’s more, the app also attempted to increase its reach by sending requests to all the contacts saved in the device. Before discovery, the app had been downloaded and installed over 500 times and indeed, had a rating of over 4 stars.
The app was able to collect quite a bit of information, including that associated with troop movement in the aftermath of the cowardly attack on Pathankot, before a CNN-IBN led Investigation revealed it for a spyware. The app was available on the PlayStore until late last night.
As per a statement issued by Google, right after it removed the app,
We remove applications that violate our policies, such as apps that are illegal, deceptive or that promote hate speech once notified. As a policy, we don’t comment on individual applications.
The damage has already been done. However, the situation could have been a whole lot worse, if the nature of the app wasn’t discovered until later. Meanwhile, the fact that these attempts to siphon data from armymen, are succeeding despite guidelines issued by the army — in wake of the arrest of airman Ranjith KK on December 28 last year, after he was tricked into sharing sensitive details about air bases with a spy on Facebook — is very worrying.
Speaking on the topic, a senior army officer, who wished to remain anonymous told The Tech Portal,
The army has its guidelines in place. However, while most other jobs have a clear, well-defined line between your personal and professional lives, the very nature of the work as well as the sensitiveness of the information you may be dealing with on a routine basis, makes matters much more problematic.
Which is also why the guidelines, which include a prohibition on disclosing their actual identity or rank on IM services for armymen, are failing to keep things secure. An offhand remark to a casual acquaintance over chat may end up in the wrong hands.
Meanwhile, most experts are of the opinion that a central Defense system dealing with these attempts along with an increase in personal awareness and diligence on part of Defense personnel may be what’s needed to counter espionage acts — acts which have become much easier, thanks to the inclusion of technology into every aspect of our daily lives.