Cyble-Fake-Income-Tax-Indian-Taxpayers-Android

Fake Income Tax Application Targets Indian Taxpayers

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

Indian taxpayers are being targeted explicitly via mobile applications, phishing emails, and smishing, especially during the pandemic. A variant of a mobile app that impersonates India’s Income Tax Department (IT) was first identified by the McAfee Threat Intelligence team in September 2021. These apps conduct phishing activities and collect sensitive information from their victims. The attacker could later sell this information on cybercrime forums. 

During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post covering the application that masquerades as an official Income Tax department app. The app has a similar icon to that of the IT Department of India and is named iMobile

Cyble Research Labs downloaded the malware samples and performed a detailed analysis. We determined that the malware performs phishing activities to steal Personally Identifiable Information (PII) such as date of birth, PAN number, Aadhaar number, bank account details, and debit card details, including expiry date, CVV number, and PIN. 

Technical Analysis 

APK Metadata Information 

  • App Name: iMobile 
  • Package Name: direct.uujgiq.imobile 
  • SHA256 Hash: 1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56 

Figure 1 shows the metadata information of the application. 

Figure 1: Metadata Information 
Figure 2: Application Start Flow 

We have outlined the flow of the application and the various activities it conducts in Figure 2. 

  • The application has a similar icon as the IT department of India’s official logo. 
  • The application asks the users to allow it as defaults SMS app. Once it becomes the default app, it can handle SMS data. 
  • The application asks users to input credentials like PAN number and registered mobile number. 
  • The application asks users to input bank account details including debit card information. 
  • The application also asks for Internet Banking credentials. 

Upon simulating the application, it requests that users make it their default SMS app, and then the application proceeds with its malicious activity. Refer to Figure 3. 

Figure 3: Asks for Default SMS App Permission 

Figure 4 shows the malware pretending to be the official Income Tax app from India’s Income Tax department. We can also see that the app is asking for credentials such as PAN number and mobile number. 

Figure 4 Asks for IT Credentials 

The next page of the application directs users to a portal where they are prompted to enter their bank account and debit card details. Refer to Figure 5. 

Figure 5 Asks for User’s Banking Details 

The application also uses a fake internet banking login page and requests users to enter their credentials, as shown below. 

Figure 6 Asks for Netbanking Credentials 

Manifest Description 

iMobile requests twenty-six different permissions, of which the attackers could abuse seven. In this case, the malware can: 

  • Collect SMS data. 
  • Read the information of device such as usage history and statistics. 
  • Receive and send SMSs.  

We have listed the dangerous permissions below. 

Permissions Description 
READ_SMS Access phone’s messages. 
BROADCAST_STICKY Allow the application to communicate with other apps. These broadcasts happen without the user’s knowledge. 
DISABLE_KEYGUARD Allows applications to disable the keyguard. 
PACKAGE_USAGE_STATS Provides access to device usage history and statistics. 
READ_PHONE_STATE Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. 
RECEIVE_SMS Allows an application to receive SMS messages. 
SEND_SMS Allows an application to send SMS messages. 
Table 1: Permissions’ Description 

Upon reviewing the code of the application, the launcher activity of the malicious app was identified, as shown in Figure 7. 

Figure 7 Launching Activity 

The permissions and services defined in the manifest file that were identified have the ability to replace the default Messages app. This app will then be able to handle sending and receiving SMSs and MMSs. Refer to Figure 8. 

Figure 8 Handles SMS and MMS 

Figure 9 represents that the malware has defined customized services that use the BROADCAST_WAP_PUSH service. Through this service, an application can broadcast a notification that a WAP Push message has been received.  

Figure 9 Using Broadcast WAP Push Permission 

Threat Actors (TAs) may abuse this service to create could false MMS message receipts or replace the original content with malicious content. Google has instructed that it is not for use by third-party applications

Figure 10 represents that the malware has defined customized services that leverage the permission SEND_RESPOND_VIA_MESSAGE.  This permits the application to send a request to other messaging apps to handle respond-via-message action during incoming calls.  

Figure 10 Using Send Respond VIA Message 

Source Code Description 

The application uses the permission that is defined in Figure 8 to send SMSs. Upon allowing the application to replace the default messaging app, it can also read incoming messages. Refer to Figure 11.  

Figure 11 Sending SMS 

The below code shows one of the multiple deobfuscation method used by the malware, which leverages a simple cipher substitution. All strings are decoded using distinct classes, with each class having a unique table value. Refer to Figure 12. 

Figure 12 Deobfuscation Method 

During our traffic analysis, we observed that the malware is uploading the banking details, including account numbers and debit card details such as card number, expiry date, CVV, and PIN to the Command and Control (C2) server hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php. Refer to Figure 13. 

Figure 13 Banking Details Being Uploaded to the Server 

Figure 14 demonstrates that the malware is uploading internet banking credentials to the server. 

Figure 14 Internet Banking Details Uploaded to the Server 

The below image shows that the malware has hardcoded data, i.e., a mobile number originating from India.  

Figure 15 Hardcoded Data 

Conclusion  

The Threat Actors behind malicious applications constantly adapt and use various sophisticated techniques to avoid detection and target users. Such malicious applications masquerade as legitimate applications to trick users into installing them. 

Users should only install applications from the official Google Play Store to secure themselves from attacks such as these. 

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:    

  • Download and install software only from official app stores like Google Play Store. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Users should be careful of the permissions they are enabling. 
  • If you find this malicious application on your device, uninstall, or delete it immediately.  
  • Use the shared IOCs to monitor and block the malware infection.  
  • Keep your anti-virus software updated to detect and remove malicious software.  
  • Keep your Android device, OS, and applications updated to the latest versions.  
  • Use strong passwords and enable two-factor authentication.  

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Execution T1204.002 User Execution: Malicious File 
Defense Evasion T1418  Application Discovery 
Credential Access T1412 Capture SMS Messages 
Discovery T1087 Account Discovery 
Impact T1565 Manipulation 

Indicators of Compromise (IOCs)   

Indicators Indicator type Description 
1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56 SHA256 Malicious APK 
hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php URL C2 

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com

Scroll to Top