Authored by ZePeng Chen and Wenfeng Yu
McAfee Mobile Research Team has noticed an energetic rip-off malware marketing campaign focusing on Android customers in India. This malware has gone by means of three phases. The first one is the event stage, from March 2023 to July 2023, throughout which a few purposes had been created every month. The second is the enlargement stage, from August 2023 to October 2023, throughout which dozens of purposes had been created every month. The third is the energetic stage, from September 2023 to the current, throughout which lots of of purposes had been created every month. According to McAfee’s detection telemetry knowledge, this malware has gathered over 800 purposes and has contaminated greater than 3,700 Android units. The marketing campaign remains to be ongoing, and the variety of contaminated units will proceed to rise.
Malware builders create phishing pages for situations which are straightforward to deceive, reminiscent of electrical energy invoice funds, hospital appointments, and courier package deal bookings. Developers use totally different purposes to load totally different phishing pages, that are ultimately bought to scammers. In our analysis, greater than 100 distinctive phishing URLs and greater than 100 distinctive C2 URLs are created in these malicious purposes. It implies that every scammer can perform rip-off actions independently.
Scammers use malware to assault victims. They sometimes contact victims through cellphone, textual content, electronic mail, or social purposes to tell them that they should reschedule companies. This form of fraud assault is a typical and efficient fraud technique. As a outcome, victims are requested to obtain a particular app, and submit private info. There was a report the place an Indian lady downloaded malware from a hyperlink in WhatsApp and about ₹98,000 was stolen from her. We weren’t in a position to verify if is identical malware, however it is only one instance of how these malicious purposes will be distributed straight through WhatsApp.
The assault state of affairs seems credible, many victims don’t doubt the scammers’ intentions. Following the directions offered, they obtain and put in the app. In the app, victims are induced to submit delicate info reminiscent of private cellphone numbers, addresses, financial institution card numbers, and passwords. Once this info falls into the palms of scammers, they’ll simply steal funds from the sufferer’s checking account.
The malware not solely steals victims’ checking account info through phishing internet pages but in addition steals SMS messages on victims’ units. Because of the stolen info, even when the checking account helps OTP authentication, the scammer can switch all of the funds. The malware makes use of authentic platforms to deploy phishing pages to make it seem extra reliable to evade detection.
McAfee Mobile Security detects this menace as Android/SmsSpy. For extra info, and to get absolutely protected, go to McAfee Mobile Security.
Malware-as-a-Service (MaaS)
We found that these phishing pages and malware had been being bought as a service by a cyber group named ELVIA INFOTECH. A definite distinction between this malware and others is that the apps bought have a sound expiration date. When the expiration date is reached, some software hyperlinks will redirect to a fee notification web page. The notification is clearly to request the purchaser to pay a charge to revive using the malware.
Figure 1. Payment notification.
We additionally found that the cybercriminal group was promoting malware in a Telegram group. Based on these observations, we imagine that ELVIA INFOTECH is an expert cybercriminal group engaged within the improvement, upkeep, and sale of malware and phishing web sites.
Figure 2. Telegram Group dialog.
Malware Analysis
This malware has been maintained and not too long ago up to date, and lots of of malicious purposes had been created. They like to make use of the file names reminiscent of “CustomerSupport.apk”, “Mahavitaran Bill Update.apk”, “Appointment Booking.apk”, “Hospital Support.apk”, “Emergency Courier.apk” and the appliance names reminiscent of “Customer Support”, “Blue Dart”, “Hospital Support”,” Emergency Courier” to trick victims, beneath are some purposes’ names and icons.
Figure 3. Some purposes’ names and icons
Not solely do they faux to be “Customer Support”, however additionally they faux to be fashionable courier firms like “Blue Dart” in India, however additionally they goal utility firms like “Mahavitaran” (Power Corporation of India).
Once victims click on the pretend icon, the appliance will likely be launched and begin to assault victims.
1. Loading Phishing Pages
The phishing web page hundreds as soon as the appliance is launched. It will disguise itself as a web page of assorted authentic companies, making victims imagine that they’re visiting a authentic service web site. Here, victims are tricked into offering delicate info reminiscent of identify, deal with, cellphone quantity, financial institution card quantity, and password. However, as soon as submitted, this info falls into the palms of scammers, permitting them to simply entry and management the sufferer’s checking account.
We discovered that the majority of this assault marketing campaign impersonated service package deal supply firms.
Figure 4. Phishing Pages Load Once App Launches
The malware builders additionally designed totally different phishing pages for various purposes to deceive victims in numerous situations that exploit electrical energy invoice funds and hospital appointments.
Figure 5. Hospital appointment and Electricity Bill Phishing Pages
2. Stealing One-Time Passwords through SMS message
As a core design of this malware, the appliance requests permissions to permit it to ship and examine SMS messages as soon as it launches.
Figure 6. Request SMS permissions.
If victims click on the “Allow” button, the malware begins a background service that secretly displays customers’ textual content messages and forwards them to a quantity which is from C2 server.
Figure 7. Forward cellphone quantity from C2 server
This step is essential for the rip-off course of, as many banks ship a one-time password (OTP) to the shopper’s cellphone for transaction verification. Using this technique, the scammers can get hold of these OTPs and efficiently full financial institution transactions.
Conclusion:
This malicious app and the builders behind it have emerged quickly in India from final yr to now, purposefully growing and sustaining malware, and specializing in deploying well-designed phishing web sites by means of authentic platforms. The group secretly promotes and sells its malware by means of social media platforms, making the unfold of the malware extra delicate and tough to detect. This tactic resulted in an much more extreme malware outbreak, posing an ongoing and severe menace to the monetary safety of Indian customers.
Malware campaigns are very persistent and utilizing a number of totally different purposes on totally different web sites can trick many victims into putting in these purposes and offering their non-public and private info, which might then be used to commit fraud. In this atmosphere, odd customers in India face large cybersecurity challenges. Therefore, customers want to stay vigilant and cautious when coping with any digital communications or software obtain requests that seem authentic however might comprise malware. We strongly suggest customers set up safety software program on their units and at all times preserve it updated. By utilizing McAfee Mobile Security merchandise, customers can additional defend their units and cut back the dangers related to the sort of malware, offering a safer expertise.
Indicators of Compromise (IOCs)
SHA256 hash List:
- 092efedd8e2e0c965290154b8a6e2bd5ec19206f43d50d339fa1485f8ff6ccba
- 7b1f692868df9ff463599a486658bcdb862c1cf42e99ec717e289ddb608c8350
- c59214828ed563ecc1fff04efdfd2bff0d15d411639873450d8a63754ce3464c
- b0df37a91b93609b7927edf4c24bfdb19eecae72362066d555278b148c59fe85
- 07ad0811a6dac7435f025e377b02b655c324b7725ab44e36a58bc68b27ce0758
- c8eb4008fa4e0c10397e0fb9debf44ca8cbadc05663f9effbeac2534d9289377
- 1df43794618ef8d8991386f66556292429926cd7f9cf9b1837a08835693feb40
- 5b3d8f85f5637b217e6c97e6b422e6b642ce24d50de4a6f3a6b08c671f1b8207
Phishing URLs:
- hxxps://bijlipayupdate[.]wixsite[.]com/my-site
- hxxps://appointmentservice0[.]wixsite[.]com/onlineappointment
- hxxps://couriers9343[.]wixsite[.]com/courier/
- hxxps://doctorappointment34[.]wixsite[.]com/appointmentbooking
- hxxps://hospitalservice402[.]wixsite[.]com/hospital-in
- hxxps://adn-reg[.]com/web site
C2 Server URLs:
- hxxps://forexroyality[.]on-line/complainf13/My_File[.]txt
- hxxps://adn-reg[.]com/knowledge[.]json
- hxxps://icustomrcore[.]com/chand3/knowledge[.]json
- hxxps://sms[.]hrms[.]org[.]in/chugxgddhmurgiwalabhaiqwertadmin/no[.]html
- hxxps://krishna[.]salaar[.]co[.]in/admindata[.]txt
- hxxps://courier[.]elviainfotech[.]cloud/pages/cellphone[.]json
