Android users are being targeted by malicious software that tricks users into downloading a fake COVID-19 Vaccination Registration app that collects sensitive information from the user’s device. The malware uses the contacts fetched from the device to spread to the other devices via text messages.
The variant of this malware is known as “SMS Worm”. An SMS-Worm is a malware variant that sends SMSes containing a link to a website. Once the unsuspecting user clicks the link, it downloads the worm’s executable code into the victim’s mobile phone, thereby infecting their devices. In addition, it automatically sends a copy of itself to every contact listed in the mobile phone’s Contacts list.
Here is a list of the activities performed by this malware on the user’s device:
- Enabling unauthorized access or restricting access to private accounts and services
- Using the device for unauthorized activities
- Exposing personal data from the user’s mobile device and accounts
- Unauthorized deletion of data from the mobile device or services
Some of the common ways in which this malware is distributed are listed below:
- Direct distribution: Sending direct SMS attack messages containing the mobile malware to the user.
- Secondary distribution: Spreading supplementary malware to more users via SMSes that “seize” the victim’s mobile devices.
In a recent tweet, a researcher shared the information about an android app that impersonates as an COVID-19 Vaccination Registration app and spreads through text messages. Our investigation indicated that this malware campaign is currently targeting India as the country struggles with the ongoing onslaught of the pandemic. It spreads itself to the victim’s contacts via SMSes containing a link to download this malware. In our search to find the source of the app, we found from twitter with many abandoned repositories that contains the list of similar apps under different names and functionalities but replicates the same permissions and entry points, assuming all were from the same developer.thread from Twitter with many abandoned repositories containing the list of similar apps under different names and functionalities which replicate the same permissions and entry points. These apps seem to have been developed by the same developer.
Furthermore, on downloading the Apk file from the repository and scanning it through VirusTotal, we were able to identify it as a fake malware app based on the antivirus signatures “Malware.ANDROID/FakeApp.SRDD.Gen”, as shown in the Fig. 1.
Figure 1 VirusTotal Detections of the App
Technical Analysis:
Digest used for our analysis: 5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4
Package Name: com.halorozd.meditation
Main Activity: com.halorozd.meditation.MainActivity
After performing static analysis on the above app, the permissions used by the malware were found from the application. These have been showcased in the Fig. 2.
Figure 2 Permissions requested by the app
Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are listed below:
Permissions:
- android.permission.ACCESS_FINE_LOCATION
- android.permission.SEND_SMS
- android.permission.READ_PHONE_STATE
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.INTERNET
- android.permission.READ_CONTACTS
Services:
- com.halorozd.meditation.blasting
- com.startapp.sdk.adsbase.InfoEventService
- com.startapp.sdk.adsbase.PeriodicJobService
Receivers:
- com.startapp.sdk.adsbase.remoteconfig.BootCompleteListener
Intent Filters by Action:
- android.intent.action.MAIN
- android.intent.action.BOOT_COMPLETED
Using the above permissions granted by users, the following activities are performed in the user’s devices:
- Checks whether the Android Debug Bridge (ADB) (a versatile command-line tool that lets you communicate with a device commands) is enabled and running
Figure 3 Checks the status of the ADB
- Checks whether the analysis is performed through a device or an emulator
Figure 4 Build Model of the device
- Checks for the devices that are connected to the victim’s device through Bluetooth
Figure 5 Scans for the Bluetooth Devices
- Sends text messages to other devices using SMS Manager
Figure 6 Sends SMS through SMS Manager
- Also checks whether the app is currently debugged
Figure 7 Code to check the app is debugged
- Checks the state of the SIM card from the victim’s device
Figure 8 State of the Sim from User’s Device
- Fetches the network operator name
Figure 9 Query on the Network Operator Name
- Gets phone contact information from the victim’s device
Figure 10 Queries Phone Contact Information
New variants of SMS-worms for Android do not appear very often, and this particular variant is an interesting piece of malware and part of a unique attack. Besides tricking unsuspecting users into installing a worm and other software that they may not want; the worm can also use up their billing plan by automatically sending messages without their knowledge.
Safety Recommendations:
- Keep your antivirus software updated to detect and prevent malware infections.
- Keep your system and applications updated.
- Use strong passwords and enable two-factor authentication during logins.
- Verify the privileges and permissions requested by the app before granting access.
- People concerned about the exposure of their stolen credentials in the dark web can register at AmIBreached.com to ascertain their exposure.
MITRE ATT&CK® Techniques- for Mobile
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1406 T1523 | 1. Obfuscated Files or Information 2. Evade Analysis Environment |
| Discovery | T1421 T1422 T1430 T1426 T1424 | 1. System Network Connections Discovery 2. System Network Configuration Discovery 3. Location Tracking 4. System Information Discovery 5. Process Discovery |
| Collection | T1432 T1430 T1507 | 1. Access Contact List 2. Location Tracking 3. Network Information Discovery |
| Command and Control | T1573 T1219 | 1. Encrypted Channel 2. Remote Access Software |
| Network Effects | T1449 | 1.Exploit SS7 to Redirect Phone Calls/SMS |
| Impact | T1447 T1448 | 1.Delete Device Data 2. Carrier Billing Fraud |
Indicators of Compromise (IoCs):
| IOC | IOC Type |
| 5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4 | SHA256 |
| hxxps://awsdus.api[.]p3insight[.]de/isupload/upload_check_lumen[.]php | Interesting URL |
| hxxps://geoip.api.p3insight[.]de/geoip/ | Interesting URL |
| hxxp://tiny[.]cc/COVID-VACCINE | Interesting URL |
| 202.83.21[.]14 | IP address |
| 216.58.212[.]170 | IP address |
About Cyble:
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
