Disclaimer: This article has been published for general user awareness in good faith and subsequent precautions. It does not contain any information which is outside the scope of open sources. There has been a considered effort to keep the contents factual, inclusive and the assessment to be objective.
The Government of Pakistan recently announced that its indigenous communications platform Beep Pakistan, purportedly an alternate to Meta's WhatsApp, has been tested and is ready for deployment.
Though the application's initial announcement was made by the federal government of Pakistan Tehreek-e-Insaf on 20 July 2021, it was only on 7 August 2023 during the interim rule of 'Pakistan Democratic Movement (PDM)' that the application was formally launched. While further technical details on Beep Pakistan are yet to be disclosed, we do know that its official website was registered on 28 December 2023 with nameservers linked to RapidCompute (a division of Cybernet/ Lakson Group) and the National Telecom Corporation (NTC).
Prior to its formal launch (7 August 2023), Beep Pakistan was a relatively low-priority issue of discussion in the mainstream media and did not garner mentionable attention. Following the recent launch, two deceptive entities (mis)using the name and brand identity of "Beep Pakistan" emerged in parallel.
Deceptive Application
On 9 August 2023, within two days of Beep Pakistan's launch by then PDM government, an Android application of the same name emerged on Google Play Store, uploaded by a developer 'Hi-Tech Umair'; the profile belongs to a young online content creator named Umair Mehmood Arshad with listed email address "[email protected]" and domain name "hitechumair.com". Umair operates multiple social media accounts for content propagation, focusing almost entirely on tech reviews and IT issues. Another identifiable email address is "[email protected]". His website has an active Google Adsense account (ca-pub-2062276266318233) and Google Tag (G-ZF4W8908S6).
The application by Umair does not ask for special access permissions to the installer's device and instead opens a static landing page with no interactive interface except a box that directs the user to his YouTube channel. This particular act and entity falls in the category of 'Imposter Content' which deceptively lures unsuspecting users to install impersonated applications.
Umair's deceptive "Beep Pakistan" application is not 'hostile' per se, but was timed to coincide with the launch of the same project by the then interim government. By 19 August 2023, it was installed in 1,000+ devices and the number crossed the 5,000 mark by end of September 2023. Its installation is increasing/ on an upward curve since January 2024. Google Play Store statistics indicate that this number is continuously rising and has already crossed the 10,000 mark.
Deceptive Website
On 11 August 2023, a domain name "beepapk.com" (Beep APK) was registered through Hostinger International, a web hosting company headquartered in Lithuania. From an interface perspective, the site is extremely basic with the use of default Wordpress formatting, suggesting that little to no effort was put in to customise its appearance.
Before proceeding to a set of custom-generated text explaining what the application is, the website owner placed a link that apparently helps download the direct Android Package Kit (APK) file for 'Beep'. However, an examination of the file through Android emulation software reveals that the APK file is the same as that already hosted on Google Play Store with the name of Beep™. The original application/ product is owned by AF Payments Inc. in the Philippines.
The APK file may leave the user wondering what relevance it has to the original "Beep Pakistan". In this case, the activity and entity comes in the category of 'False Context' whereby an actor shares genuine content with false contextual information. There is one difference from Umair though: the actor in this case has infringed upon and (mis)used the intellectual property and branding content owned by a registered Filipino entity and constitutes a criminal offence without question; AF Payments Inc. is ultimately owned by a company in the UK, so the legal liabilities involve two separate jurisdictions.
The site embeds a Google Adsense code (ca-pub-2062276266318233) which is common to/ also embedded in five other sites:-
1. newchristmaswishes.com
2. thecastleapp.com
3. onepkr.com
4. ghdsportsapks.com
5. hamarastore.online
In all likelihood, the back-end actor responsible for operating these domain names is one and the same person. We notice, for example, that the site "onepkr.com" mentions author name of all posts as "[email protected]". A reverse lookup of this email address revealed association with dozens of additional domain names with most of them embedded with unique Google Adsense IDs. One such domain "physicalhub.store" accessed through cache reveals the username "zaheer", suggesting a Pakistan-based link or to someone of Pakistani-origin based overseas.
On a separate note, the site's domain tree contains (failed) attempts to connect to IP address 94.156.79.8; this Bulgarian IP address corresponds to "hostpdf.co", a website that is in the radar of credible cyber threat intelligence researchers for its links to Angel Drainer, a JavaScript-based malware used by cyber criminals to drain unsuspecting users' crypto wallets. From this perspective, basic access to the domain "beepapk.com" itself poses a security risk.
Assessment
The deceptive application published by Umair Mehmood Arshad falls in the category of Imposter Content.
The website "beepapk.com" falls in the category of False Context and furthermore poses the threat of malware installation. Its ownership is very likely to be Pakistani but the actors have yet to be identified.
The deceptive application as well as the website apparently serve as vehicles to lure increased web traffic by (mis)using the name of "Beep Pakistan" (Government of Pakistan) and also Beep™ (AF Payments Inc, Philippines).
On the outset, there is no verifiable information that could connect/ link Umair's application with the deceptive website; they appear to be distinct entities maintained by unrelated actors.
Recommendations
The Government of Pakistan may choose to contact Google to get Umair's deceptive application removed from Google Play Store and also from other APK-hosting forums.
The Government of Pakistan may choose to contact Hostinger International to provide data on "beepapk.com" or have it taken down; ideally, data from the web host could help pinpoint the actor responsible for setting up this misleading site. To facilitate further help and to strengthen their case, officials in Pakistan can coordinate with the management of Beep™ via the Filipino Mission in Pakistan for mutual benefit.
Google authorities may be requested to cease monetisation of all identified Adsense IDs associated with above-mentioned entities.
The Government of Pakistan should preferably run a mainstream as well as social media announcement that "Beep Pakistan" application has not yet been released for public access and to beware of imposters.
Lastly, the Government of Pakistan may consider setting trademark and intellectual property copyright restrictions on the "Beep Pakistan" brand name and associated logo.