When an app posed security threat to Indian Army and was taken offline by Google

Whenever we download an app, we generally grant all the permission the app asks for. This leads to a lot of security issues we often tend to ignore. Sometimes, even leading to lapses in national security. Recently, CNN-IBN reported the use of spyware to track our soldiers. The spyware in question was SmeshApp, a messenger app that was being used by ISI to access the data on the smartphones of our service personnel. The app, which was available on Google Playstore, has since been removed.

The app accessed the data on the smartphones, including phone call logs, stole text messages and gallery and also had access to GPS functionality. It stored the information on a server, pbxmobiflex.com, located in Germany and was hosted by Sajid Rana, a Pakistani based out of Karachi. The CNN investigation also claimed that the app was being used by ISI prior to the attack on Pathankot Air Force Base.

The modus operandi was simple. Soldiers are lured through fake Facebook profiles to download the app for chatting. Once the app is downloaded it can then be used for tracking their movements. More than 10 Facebook profiles were used to lure soldiers into downloading the app, and over a dozen military personnel were unwittingly in touch with Pakistani handlers, according to IBN.

This breach throws light on the danger the country exposes itself to when it does not equip its soldiers with even the basic technological know-how. While installing the app from the app store one can view the screen where the app asks for permission to use various functionalities of the device. This should have been a significant warning, had the soldiers been technologically aware.

Apart from the armed forces, even paramilitary forces like Border Security Force (BSF) and Central Industrial Security Force (CISF) were also said to have been targeted. CNN-IBN's investigation revealed a storehouse of information.

“Their entire contact list was seen, SMS records and photo gallery could be accessed and calls could be recorded. Also the app could be used to start a recording of audio and video, almost taking over the phones of the service personnel by remote,” the report on the news channel's website claimed.

Following the reports, Google de-listed the app from its Play Store. It had already been downloaded over 500 times before it was removed, pointing to a huge breach in the country's security. The Indian forces have already blacklisted several apps and banned their usage. In 2014, there were reports of Redmi phone sending data to few servers in China. As a result, the Indian Air Force banned the use of Xiaomi phones with their airmen and officers.