SmeshApp: How Pakistan spied on Indian military personnel using an app from the Play Store

The recent attack on the Pathankhot air force base, resulting in at least 6 deaths, was carried out with a marked degree of foresight and knowledge of the air base and operations. It has just come to light that part of that intelligence gathered for that attack was due to an app called SmeshApp. Although Google removed SmeshApp from the Play Store, the damage has already been done. Honeytraps on Facebook Pakistan intelligence apparently set up fake accounts on Facebook (at least 10, reportedly) and established a honeytrap. The account would be used to entice soldiers into installing SmeshApp on their phones (more on that later). Accounts related to Air Force, Navy, Border Security Force (BSF) and Central Industrial Security Forces were targeted. These honeytraps apparently bore an air of patriotism and legitimacy by ensuring that the friends list was filled with retired soldiers. Basically, the more soldiers the account ensnared, the more legitimate the accounts seemed. Once trapped and SmeshApp installed, Pakistani intelligence acquired full access to all the personal data related to that soldier. This includes real-time updates of his location and even the ability to record the environment via the microphone. How does SmeshApp work? On the surface, SmeshApp is nothing more than a clone of WhatsApp or Telegram. As with most apps on the Google Play Store, the app asks for permission to access your contacts, photos and other such personal information. The app then sends requests to all members in the infected phone’s contact list, building up a database of users and gathering information. This information can be in the form of photos, location data, messaging data, e-mail, browsing data, etc. Basically, everything you do on your phone is transmitted to an unknown server, which is now a slave to the app. In the case of SmeshApp, the server was apparently hosted in Germany and was operated by someone from Karachi. Sadly, the information that was leaked contained vital information on troop movements and counter-terrorism operations. If you really think about it, what SmeshApp did was nothing unusual. As mentioned earlier, most apps on the Play Store and App Store try to gather as much personal information as they can. Data, is after all, priceless. Services like Telegram and Whatsapp at least take the trouble to encrypt the data on their servers, at least, they claim they do. Can you know for sure? SmeshApp had apparently been downloaded over 500 times and boasted of a rating of 4.0 at the time it was pulled from the store. Google issued a statement saying, “We remove applications that violate our policies, such as apps that are illegal, deceptive or that promote hate speech once notified. As a policy, we don’t comment on individual applications.” What can the we do? Apps like SmeshApp can and will flourish on app stores across platforms. Information is king and most app-makers depend on monetising your information to make money. If you really wanted to, even you could make an app like SmeshApp in record time and have it published. As Pavan Duggal, an advocate specializing in the field of cyberlaw, pointed out to CNN-IBN, the only real defence is “individual due diligence.” In other words, you need to exercise caution on a personal level. The army itself doesn’t seem to have any guidelines in place with regards to the online presence of their soldiers and it’s high time that they did. Simple steps such as the use of recommended apps, guidelines limiting the sharing of sensitive information, etc., need to be implemented. Pavan Duggal also talks about a unified cyber command, which has been in the works since a great many years. Over the years, mobile phones have transformed from a simple device for making calls to a portable camera, a computer, and now a full-fledged IOT device that has access to virtually every aspect of your life. Care must be taken when using it, especially in such sensitive cases as military operations.