Android SMS Worm Impersonating COVID-19 Vaccine Registration App Spreads via Text Messages

Android users are being targeted by malicious software that tricks users into downloading a fake COVID-19 Vaccination Registration app that collects sensitive information from the user’s device. The malware uses the contacts fetched from the device to spread to the other devices via text messages. 

The variant of this malware is known as “SMS Worm”. An SMS-Worm is a malware variant that sends SMSes containing a link to a website. Once the unsuspecting user clicks the link, it downloads the worm’s executable code into the victim’s mobile phone, thereby infecting their devices. In addition, it automatically sends a copy of itself to every contact listed in the mobile phone’s Contacts list.  

Here is a list of the activities performed by this malware on the user’s device: 

  • Enabling unauthorized access or restricting access to private accounts and services 
  • Using the device for unauthorized activities 
  • Exposing personal data from the user’s mobile device and accounts 
  • Unauthorized deletion of data from the mobile device or services 
     

Some of the common ways in which this malware is distributed are listed below: 

  1. Direct distribution: Sending direct SMS attack messages containing the mobile malware to the user. 
  1. Secondary distribution: Spreading supplementary malware to more users via SMSes that “seize” the victim’s mobile devices. 

 
In a recent tweet, a researcher shared the information about an android app that impersonates as an COVID-19 Vaccination Registration app and spreads through text messages. Our investigation indicated that this malware campaign is currently targeting India as the country struggles with the ongoing onslaught of the pandemic. It spreads itself to the victim’s contacts via SMSes containing a link to download this malware. In our search to find the source of the app, we found  from twitter with many abandoned repositories that contains the list of similar apps under different names and functionalities but replicates the same permissions and entry points, assuming all were from the same developer.thread from Twitter with many abandoned repositories containing the list of similar apps under different names and functionalities which replicate the same permissions and entry points. These apps seem to have been developed by the same developer. 

Furthermore, on downloading the Apk file from the repository and scanning it through VirusTotal, we were able to identify it as a fake malware app based on the antivirus signatures “Malware.ANDROID/FakeApp.SRDD.Gen”, as shown in the Fig. 1. 

Figure 1 VirusTotal Detections of the App 

Technical Analysis: 
 
Digest used for our analysis: 5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4 

Package Name: com.halorozd.meditation 

Main Activity: com.halorozd.meditation.MainActivity 

After performing static analysis on the above app, the permissions used by the malware were found from the application. These have been showcased in the Fig. 2. 

Figure 2 Permissions requested by the app 

Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are listed below: 

Permissions: 

  • android.permission.ACCESS_FINE_LOCATION  
  • android.permission.SEND_SMS  
  • android.permission.READ_PHONE_STATE  
  • android.permission.ACCESS_COARSE_LOCATION  
  • android.permission.INTERNET  
  • android.permission.READ_CONTACTS 

Services: 

  • com.halorozd.meditation.blasting  
  • com.startapp.sdk.adsbase.InfoEventService  
  • com.startapp.sdk.adsbase.PeriodicJobService 

Receivers: 

  • com.startapp.sdk.adsbase.remoteconfig.BootCompleteListener 

Intent Filters by Action: 

  • android.intent.action.MAIN 
  • android.intent.action.BOOT_COMPLETED 

Using the above permissions granted by users, the following activities are performed in the user’s devices: 

  1. Checks whether the Android Debug Bridge (ADB) (a versatile command-line tool that lets you communicate with a device commands) is enabled and running 

Figure 3 Checks the status of the ADB 

  1. Checks whether the analysis is performed through a device or an emulator 

Figure 4 Build Model of the device 

  1. Checks for the devices that are connected to the victim’s device through Bluetooth 

Figure 5 Scans for the Bluetooth Devices 

  1. Sends text messages to other devices using SMS Manager 

Figure 6 Sends SMS through SMS Manager 

  1. Also checks whether the app is currently debugged 

Figure 7 Code to check the app is debugged 

  1. Checks the state of the SIM card from the victim’s device 

Figure 8 State of the Sim from User’s Device 

  1. Fetches the network operator name 

Figure 9 Query on the Network Operator Name 

  1. Gets phone contact information from the victim’s device 

Figure 10 Queries Phone Contact Information 

New variants of SMS-worms for Android do not appear very often, and this particular variant is an interesting piece of malware and part of a unique attack. Besides tricking unsuspecting users into installing a worm and other software that they may not want; the worm can also use up their billing plan by automatically sending messages without their knowledge. 

Safety Recommendations: 

  1. Keep your antivirus software updated to detect and prevent malware infections. 
  1. Keep your system and applications updated. 
  1. Use strong passwords and enable two-factor authentication during logins. 
  1. Verify the privileges and permissions requested by the app before granting access. 
  1. People concerned about the exposure of their stolen credentials in the dark web can register at AmIBreached.com to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic Technique ID Technique Name 
Defense Evasion T1406 T1523 1. Obfuscated Files or Information 2. Evade Analysis Environment  
Discovery T1421 T1422 
T1430 T1426 T1424 
1. System Network Connections Discovery 2. System Network Configuration Discovery 3. Location Tracking 4. System Information Discovery 5. Process Discovery 
Collection T1432 T1430 T1507  1. Access Contact List 2. Location Tracking 3. Network Information Discovery 
Command and Control T1573 T1219 1. Encrypted Channel 2. Remote Access Software 
Network Effects T1449 1.Exploit SS7 to Redirect Phone Calls/SMS 
Impact T1447 T1448 1.Delete Device Data 2. Carrier Billing Fraud 

Indicators of Compromise (IoCs): 

IOC  IOC Type  
5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4 SHA256   
hxxps://awsdus.api[.]p3insight[.]de/isupload/upload_check_lumen[.]php Interesting URL 
hxxps://geoip.api.p3insight[.]de/geoip/ Interesting URL 
hxxp://tiny[.]cc/COVID-VACCINE Interesting URL 
202.83.21[.]14 IP address 
216.58.212[.]170 IP address 

About Cyble:  

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.   

Leave a Comment

Your email address will not be published.

%d bloggers like this: