Indian taxpayers are being targeted explicitly via mobile applications, phishing emails, and smishing, especially during the pandemic. A variant of a mobile app that impersonates India’s Income Tax Department (IT) was first identified by the McAfee Threat Intelligence team in September 2021. These apps conduct phishing activities and collect sensitive information from their victims. The attacker could later sell this information on cybercrime forums.
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post covering the application that masquerades as an official Income Tax department app. The app has a similar icon to that of the IT Department of India and is named iMobile.
Cyble Research Labs downloaded the malware samples and performed a detailed analysis. We determined that the malware performs phishing activities to steal Personally Identifiable Information (PII) such as date of birth, PAN number, Aadhaar number, bank account details, and debit card details, including expiry date, CVV number, and PIN.
Technical Analysis
APK Metadata Information
- App Name: iMobile
- Package Name: direct.uujgiq.imobile
- SHA256 Hash: 1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56
Figure 1 shows the metadata information of the application.
We have outlined the flow of the application and the various activities it conducts in Figure 2.
- The application has a similar icon as the IT department of India’s official logo.
- The application asks the users to allow it as defaults SMS app. Once it becomes the default app, it can handle SMS data.
- The application asks users to input credentials like PAN number and registered mobile number.
- The application asks users to input bank account details including debit card information.
- The application also asks for Internet Banking credentials.
Upon simulating the application, it requests that users make it their default SMS app, and then the application proceeds with its malicious activity. Refer to Figure 3.
Figure 4 shows the malware pretending to be the official Income Tax app from India’s Income Tax department. We can also see that the app is asking for credentials such as PAN number and mobile number.
The next page of the application directs users to a portal where they are prompted to enter their bank account and debit card details. Refer to Figure 5.
The application also uses a fake internet banking login page and requests users to enter their credentials, as shown below.
Manifest Description
iMobile requests twenty-six different permissions, of which the attackers could abuse seven. In this case, the malware can:
- Collect SMS data.
- Read the information of device such as usage history and statistics.
- Receive and send SMSs.
We have listed the dangerous permissions below.
| Permissions | Description |
| READ_SMS | Access phone’s messages. |
| BROADCAST_STICKY | Allow the application to communicate with other apps. These broadcasts happen without the user’s knowledge. |
| DISABLE_KEYGUARD | Allows applications to disable the keyguard. |
| PACKAGE_USAGE_STATS | Provides access to device usage history and statistics. |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| RECEIVE_SMS | Allows an application to receive SMS messages. |
| SEND_SMS | Allows an application to send SMS messages. |
Upon reviewing the code of the application, the launcher activity of the malicious app was identified, as shown in Figure 7.
The permissions and services defined in the manifest file that were identified have the ability to replace the default Messages app. This app will then be able to handle sending and receiving SMSs and MMSs. Refer to Figure 8.
Figure 9 represents that the malware has defined customized services that use the BROADCAST_WAP_PUSH service. Through this service, an application can broadcast a notification that a WAP Push message has been received.
Threat Actors (TAs) may abuse this service to create could false MMS message receipts or replace the original content with malicious content. Google has instructed that it is not for use by third-party applications.
Figure 10 represents that the malware has defined customized services that leverage the permission SEND_RESPOND_VIA_MESSAGE. This permits the application to send a request to other messaging apps to handle respond-via-message action during incoming calls.
Source Code Description
The application uses the permission that is defined in Figure 8 to send SMSs. Upon allowing the application to replace the default messaging app, it can also read incoming messages. Refer to Figure 11.
The below code shows one of the multiple deobfuscation method used by the malware, which leverages a simple cipher substitution. All strings are decoded using distinct classes, with each class having a unique table value. Refer to Figure 12.
During our traffic analysis, we observed that the malware is uploading the banking details, including account numbers and debit card details such as card number, expiry date, CVV, and PIN to the Command and Control (C2) server hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php. Refer to Figure 13.
Figure 14 demonstrates that the malware is uploading internet banking credentials to the server.
The below image shows that the malware has hardcoded data, i.e., a mobile number originating from India.
Conclusion
The Threat Actors behind malicious applications constantly adapt and use various sophisticated techniques to avoid detection and target users. Such malicious applications masquerade as legitimate applications to trick users into installing them.
Users should only install applications from the official Google Play Store to secure themselves from attacks such as these.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Users should be careful of the permissions they are enabling.
- If you find this malicious application on your device, uninstall, or delete it immediately.
- Use the shared IOCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your Android device, OS, and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204.002 | User Execution: Malicious File |
| Defense Evasion | T1418 | Application Discovery |
| Credential Access | T1412 | Capture SMS Messages |
| Discovery | T1087 | Account Discovery |
| Impact | T1565 | Manipulation |
Indicators of Compromise (IOCs)
| Indicators | Indicator type | Description |
| 1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56 | SHA256 | Malicious APK |
| hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php | URL | C2 |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
