McAfee Mobile Research Team has observed an active scam malware campaign targeting Android users in India. This malware has gone through three stages. The first one is the development stage, from March 2023 to July 2023, during which a couple of applications were created each month. The second is the expansion stage, from August 2023 to October 2023, during which dozens of applications were created each month. The third is the active stage, from September 2023 to the present, during which hundreds of applications were created each month. According to McAfeeās detection telemetry data, this malware has accumulated over 800 applications and has infected more than 3,700 Android devices. The campaign is still ongoing, and the number of infected devices will continue to rise. Ā
Malware developers create phishing pages for scenarios that are easy to deceive, such as electricity bill payments, hospital appointments, and courier package bookings. Developers use different applications to load different phishing pages, which are eventually sold to scammers. In our research, more than 100 unique phishing URLs and more than 100 unique C2 URLs are created in these malicious applications. It means that each scammer can carry out scam activities independently. Ā
Scammers use malware to attack victims. They typically contact victims via phone, text, email, or social applications to inform them that they need to reschedule services. This kind of fraud attack is a typical and effective fraud method. As a result, victims are asked to download a specific app, and submit personal information. There was a report where an Indian woman downloaded malware from a link in WhatsApp and about ā¹98,000 was stolen from her. We were not able to confirm if is the same malware, but it is just one example of how these malicious applications can be distributed directly via WhatsApp. Ā
The attack scenario appears credible, many victims do not doubt the scammersā intentions. Following the instructions provided, they download and installed the app. In the app, victims are induced to submit sensitive information such as personal phone numbers, addresses, bank card numbers, and passwords. Once this information falls into the hands of scammers, they can easily steal funds from the victimās bank account. Ā
The malware not only steals victimsā bank account information via phishing web pages but also steals SMS messages on victimsā devices. Because of the stolen information, even if the bank account supports OTP authentication, the scammer can transfer all the funds. The malware uses legitimate platforms to deploy phishing pages to make it appear more trustworthy to evade detection. Ā
McAfee Mobile Security detects this threat as Android/SmsSpy. For more information, and to get fully protected, visit McAfee Mobile Security . Ā
We discovered that these phishing pages and malware were being sold as a service by a cyber group named ELVIA INFOTECH . A distinct difference between this malware and others is that the apps sold have a valid expiration date. When the expiration date is reached, some application links will redirect to a payment notification page. The notification is clearly to request the purchaser to pay a fee to restore the use of the malware. Ā
Figure 1 . Payment notification. Ā
We also discovered that the cybercriminal group was selling malware in a Telegram group. Based on these observations, we believe that ELVIA INFOTECH is a professional cybercriminal organization engaged in the development, maintenance, and sale of malware and phishing websites. Ā
Figure 2 . Telegram Group conversation. Ā
Malware Analysis Ā
This malware has been maintained and recently updated, and hundreds of malicious applications were created. They like to use the file names such as āCustomerSupport.apkā, āMahavitaran Bill Update.apkā, āAppointment Booking.apkā, āHospital Support.apkā, ā Emergency Courier.apkā and the application names such as āCustomer Supportā, āBlue Dartā, āHospital Supportā,ā Emergency Courierā to trick victims, below are some applicationsā names and icons.Ā Ā
Figure 3 . Some applicationsā names and icons Ā
Not only do they pretend to be āCustomer Supportā, but they also pretend to be popular courier companies like āBlue Dartā in India, but they also target utility companies like āMahavitaranā (Power Corporation of India). Ā
Once victims click the fake icon, the application will be launched and start to attack victims. Ā
1. Loading Phishing Pages
The phishing page loads once the application is launched. It will disguise itself as a page of various legitimate services, making victims believe that they are visiting a legitimate service website. Here, victims are tricked into providing sensitive information such as name, address, phone number, bank card number, and password. However, once submitted, this information falls into the hands of scammers, allowing them to easily access and control the victimās bank account.Ā
We found that most of this attack campaign impersonated carrier package delivery companies. Ā
Figure 4 . Phishing Pages Load Once App Launches Ā
The malware developers also designed different phishing pages for different applications to deceive victims in different scenarios that exploit electricity bill payments and hospital appointments. Ā
Figure 5 . Hospital appointment and Electricity Bill Phishing Pages Ā
2. Stealing One-Time Passwords via SMS message Ā
As a core design of this malware, the application requests permissions to allow it to send and view SMS messages once it launches.Ā Ā Ā
Figure 6 . Request SMS permissions. Ā
If victims click the āAllowā button, the malware starts a background service that secretly monitors usersā text messages and forwards them to a number which is from C2 server. Ā
Ā
Figure 7 . Forward phone number from C2 server Ā
This step is crucial for the scam process, as many banks send a one-time password (OTP) to the customerās phone for transaction verification. Using this method, the scammers can obtain these OTPs and successfully complete bank transactions. Ā
Conclusion : Ā
This malicious app and the developers behind it have emerged rapidly in India from last year to now, purposefully developing and maintaining malware, and focusing on deploying well-designed phishing websites through legitimate platforms. The group secretly promotes and sells its malware through social media platforms, making the spread of the malware more subtle and difficult to detect. This tactic resulted in an even more severe malware outbreak, posing an ongoing and serious threat to the financial security of Indian users. Ā
Malware campaigns are very persistent and using multiple different applications on different websites can trick many victims into installing these applications and providing their private and personal information, which can then be used to commit fraud. In this environment, ordinary users in India face huge cybersecurity challenges. Therefore, users need to remain vigilant and cautious when dealing with any electronic communications or application download requests that appear legitimate but may contain malware. We strongly recommend users install security software on their devices and always keep it up to date. By using McAfee Mobile Security products, users can further protect their devices and reduce the risks associated with this type of malware, providing a more secure experience. Ā
Indicators of Compromise (IOCs) Ā
SHA256 hash List: Ā
- 092efedd8e2e0c965290154b8a6e2bd5ec19206f43d50d339fa1485f8ff6ccbaĀ Ā
- 7b1f692868df9ff463599a486658bcdb862c1cf42e99ec717e289ddb608c8350Ā Ā
- c59214828ed563ecc1fff04efdfd2bff0d15d411639873450d8a63754ce3464cĀ Ā
- b0df37a91b93609b7927edf4c24bfdb19eecae72362066d555278b148c59fe85Ā Ā
- 07ad0811a6dac7435f025e377b02b655c324b7725ab44e36a58bc68b27ce0758Ā Ā
- c8eb4008fa4e0c10397e0fb9debf44ca8cbadc05663f9effbeac2534d9289377Ā Ā
- 1df43794618ef8d8991386f66556292429926cd7f9cf9b1837a08835693feb40Ā Ā
- 5b3d8f85f5637b217e6c97e6b422e6b642ce24d50de4a6f3a6b08c671f1b8207 Ā
Phishing URLs: Ā
- hxxps://bijlipayupdate[.]wixsite[.]com/my-siteĀ Ā
- hxxps://appointmentservice0[.]wixsite[.]com/onlineappointmentĀ Ā
- hxxps://couriers9343[.]wixsite[.]com/courier/Ā Ā
- hxxps://doctorappointment34[.]wixsite[.]com/appointmentbookingĀ Ā
- hxxps://hospitalservice402[.]wixsite[.]com/hospital-inĀ Ā
- hxxps://adn-reg[.]com/website Ā
C2 Server URLs: Ā
- hxxps://forexroyality[.]online/complainf13/My_File[.]txtĀ Ā
- hxxps://adn-reg[.]com/data[.]jsonĀ Ā
- hxxps://icustomrcore[.]com/chand3/data[.]jsonĀ Ā
- hxxps://sms[.]hrms[.]org[.]in/chugxgddhmurgiwalabhaiqwertadmin/no[.]htmlĀ Ā
- hxxps://krishna[.]salaar[.]co[.]in/admindata[.]txtĀ Ā
- hxxps://courier[.]elviainfotech[.]cloud/pages/phone[.]json Ā
Introducing McAfee+
Identity theft protection and privacy for your digital life
Download McAfee+ Now
source: McAfee Labs