The scam
Scams happen wherever scammers can contact their victims. F-Secure has detected an on-going scam targeting individuals in India. The main spreading mechanism is via WhatsApp direct messages that are directly encouraging targeted WhatsApp users to download malicious Android installation files. The messages claim to originate from a well-known bank, for example Axis bank, ICICI bank, or SBI bank.
Figure 1. Scam message appealing for urgency
(from LinkedIn post)
Figure 2. Another scam message appealing urgency (acquired by F-Secure)
The scam starts with the victim receiving a message on WhatsApp that attempts to invoke a sense of urgency. The message typically intends to scare the victim by suggesting their bank account is blocked or about to be closed – unless the user updates some purported mandatory details by installing the accompanying APK file.
The attacker hopes that by using these manipulation tricks, the victim will install the malware. Once the victim installs the APK attachment, the malware then takes over.
Malware walkthrough
So, what happens once the victim clicks on the APK attachment? We at F-Secure obtained a WhatsApp message from one of our sources (shown in Figure 2). We analyzed the APK attached to this message, found out the following:
- Upon execution, the app requests “send and view SMS” permission, as shown in Figure 3. This is a peculiar request that will have a great significance on the malware’s operations. We will explain later the reason behind this permission request.
Figure 3. SMS permissions requested by malware
- Once this permission is granted, the app proceeds through a series of activities (screens) that each ask for different personal information from the victim (Figure 4). The personal information includes mobile number, personal account number (PAN – a number issued by Indian tax department), date of birth, debit card details, and so on.
Figure 4. Series of screens extracting the victim’s personal information
- Once the victim submits all this information, a fake “success” message (Figure 5) is shown to the victim promising them that the required mandatory data has been submitted. But of course, in reality, no updates are sent to the bank.
Figure 5. Fake “success” message
Figure 6. Alternate “success” message advising against uninstallation
In other similar malware samples that we analyzed, the final screen apart from showing a “success” message, also displayed a text advising the user against uninstalling the app because the “bank details update” app is only available outside of Play Store (Figure 6).
What really happens in the background?
Data stealing
As we saw in the walkthrough, the dummy bank application pretends to get details from the victim and claims to update their account in the bank. Moreover, what happens in reality is something totally different. The details submitted by the victim are exfiltrated either to a cloud database, such as Firebase database, or to a C2 server hosted on a domain controlled by the attacker.
Figure 7. Personal user data being uploaded to cloud
Multifactor authentication bypass
The primary goal of the malware is to steal the victim’s bank credentials, and then potentially perform an account takeover. However, to achieve this, the attacker first needs to login to the victim’s bank account.
A bank app typically sends a one-time password (OTP) to the user’s mobile, if multi-factor authentication has been set up. Thus, merely stealing the victim’s credentials is not enough for the attacker. Access is also required to the OTP that the bank sends to the victim’s mobile via a text message, after the attacker logs into the victim’s account using the stolen credentials. And this is where the previously acquired “send and receive SMS permissions” comes into play (Figure 3).
Once the real OTP text message is received by the victim’s mobile, the device issues an SMS_RECEIVED_ACTION broadcast which is handled by the malware as well. The malware then forwards this message to a hardcoded phone number, thereby gaining access to the OTP, and thus effectively bypassing MFA.
Figure 8. Forward all SMSs to the attacker
Conclusion
Even though the ongoing scam targets banks in India, it is easy to see that this can be easily generalized to include other scams. Also, as WhatsApp has been adopted worldwide, the reach of such scams can be equally large. We advise strong caution when clicking on any unknown links/attachments, especially those received via WhatsApp.
IoC
3285efe3940fbdd19a6eeaa727ddef6053d43b74c566a116d45aaf01fa899e67
59c369e39a0c3e87df489010984261ef9a60d9fdcd7b0432b57f7717bb518731
d840eaed376b81b66f8fb12c9c72e6b315a2afaf771aae00e5d98f95a0946266
b8d6c5aa1be913567f3d612e576b5000ca5af8a200b1701be7c200c90f1bcc42
8fd57764f05c00438c4c84c65ab6b77ba0f7c4aecf3c154dc941e68dc589e436
b13c231ad93992b50226e77d95b3fdaaa1f5869c835b7a3cc63a04d80e0ea88a
2895252067e0262505236b9c09906c0c5dec5a347a880946dd8a831173eb67cb
2b6a61f95832590946d71a9cd8dc403462a4f16c99a0c3532b1db1bf90596619
0216932a38d20d15bbb0a2ccb56cb4517be1cd267931741f89e0726557b63389
f4fd11d2ce55ab1bea9a56194ce3d0723256aedbaee2a62dc3a738639d158408
Categories