Brief summary: elderly scams on the rise
Elderly scams targeting the senior citizens are on the rise. Among several ingenious schemes targeting the older population is a recent campaign called the “free wedding invite” scam. Fraudsters employ deceptive tactics through social media chats like WhatsApp, often involving fabricated wedding invitations.
A malicious APK pretending to be a fake wedding invite is then shared with the victim. The victims, believing the APK to contain more details about the free wedding, install the malware and end up being exploited by having their SMS data being stolen. This malware then sends the stolen data to a Telegram bot that acts as its command and control (C2) server.
What are elderly scams?
Elderly scams are scams that specifically target senior citizens. One of the main reasons why senior citizens are targeted with scams is that they have often accumulated a good amount of money, retirement fund, pension money and a house or two in their lifetime, thereby tempting scammers to steal this hard-earned money. Another reason behind targeting senior citizens is that scammers hope they have less technical knowledge, thereby making them easy targets. Though this sounds inhuman, it is the unfortunate order of the day!
Wedding invite scam
Senior citizens are targeted via several scams, ranging from romance scams, medical care impersonation scams, or the more recent live-stream funeral scam.
One such scam campaign, that made rounds in Malaysia was the “wedding invite” scam.
Figure 1 Original WhatsApp messaged received as per a Facebook post
In this scam, victim received a wedding invitation from an unknown person encouraging the victim to open the attached file to get more details about the wedding. The “attached file”, however, is an APK that installs malware on the victim’s phone. The malware is programmed to steal several pieces of information (device information, build information and SMS information in particular) from the users’ phones.
The initial wave only raises our concerns about senior citizens being particularly targeted with such scam messages. The scammers hope that the “hit rate” for existing elderly scam campaigns can be higher.
Let us now have a look at a sample distributed in the “wedding invite” campaign and understand its technical intricacies.
Technical details
AndroidManifest.xml
As always, we start our analysis of the sample with AndroidManifest.xml. As shown in Figure 2, there are some noteworthy observations to be made, as follows:
- Some dangerous permissions being used – READ_SMS and SEND_SMS which – as the names imply – allow access to reading and sending of text messages.
- Missing Launcher activity category, resulting in an app that will not be visible in the App launcher.
- Two broadcast receivers for the same push notification.
Figure 2 AndroidManifest.xml reveals some noteworthy details
Hidden App – No need for the victim to launch
Once the app is installed on the phone, it stays hidden, as deduced from the MainActivity above in AndroidManifest.xml. Staying hidden is one of the most important qualities of spyware and therefore, this quality leads us to the suspicion that the sample under consideration is a spyware as well. As per our previous blog on SpyNote, “For spyware, the reason behind hiding is to avoid detection and carry on with its objective of stealing user data as long as possible. A couple of methods may be used by spyware to achieve this hiding functionality:
- Use of setComponentEnabledSetting to hide the app at runtime
- Providing no launcher activity category (CATEGORY_LAUNCHER) in AndroidManifest.xml (corresponding to the intent containing ACTION_MAIN)”
We observe from AndroidManifest, the missing launcher activity corresponding to the MAIN intent which leads to the hidden app.
This leads to the next important question, “How is the hidden app launched?”. There are several ways of launching a hidden app as highlighted in this paper – launching via third-party app or once an SMS is received, for example. We deduce that this particular malicious sample gets launched via a third-party app. Once the app is launched, it asks for phone call and SMS-related permissions and is ready for its spying activities!
Telegram C2 and SMS Spy
Since the app requests for SMS-related permissions – and also based on AndroidManifest.xml (SMS_RECEIVED intent) – we can deduce that the app spies on SMSs received by the victim. Further observations in the code, however, reveal additional information about how the malware communicates with the C2.
We observed that the malware uses a Telegram bot as its C2 server. A Telegram bot is an application provided by the Telegram messaging platform. It is set up to automate interactions with users and provide immediate information. Telegram provides this feature in-the-box, making it trivial for attackers to setup a C2 server. The app sends stolen data to the telegram bot and it’s easy for the scammer to access data collected in Telegram. The following series of figures 3, 4 and 5 show how the code steals users’ SMS and other data and sends it to Telegram.
Figure 3 shows how the malware first collects victim device information such as Build ID, brand, etc.
Figure 3 Collect (victim) device information
The next Figure 4 shows how this collected device information is leaked to a Telegram bot. The Telegram API is used to connect to a bot. The Telegram API requires a token, and some other arguments. The token identifies every separate bot and in this case is hardcoded in the code (Figure 3). The API endpoint ‘sendMessage’ specifies the command to be sent to the bot, for the bot to respond automatically. In addition, there are some additional arguments (chat_id) required by the endpoint which are also hardcoded in the code. Finally, the device information is also sent to the bot.
Figure 4 Exfiltration of data to Telegram
Once this information is exfiltrated to the Telegram bot, the malware moves to opening a purportedly safe website, that distracts and lulls the victim into a false sense of security. This call is shown in Figure 5. This website appears to be a shopping website (Figure 6) but otherwise unrelated to the functionality of the malware.
Figure 5 Call to a “safe” website
Figure 6 The safe website is innocuous
Based on code analysis, we know that the malware intercepts incoming SMS messages on the exploited device. This can lead to several sensitive pieces of data to be acquired by the scammers, including but not limited to personally identifiable data, one-time passwords, and so on. There can be several misuses of such information – including hijacking banking sessions, sale of stolen credentials, etc.
Features of Telegram C2
Setting up an independent C2 server without services like Telegram, requires effort on part of the attacker, and is further accentuated with additional maintenance needed. Further, having an independent C2 server is fraught with risks of authorities detecting and taking it down. Instead, hosting a C2 server on Telegram – like the sample under consideration – has the following advantages:
- Generated traffic appears legitimate because it goes to Telegram. Some security systems can be bypassed, as no malicious external IPs are associated with the malware.
- Usage of API to connect to Telegram doesn’t require any installation of Telegram software on victim devices.
- Telegram end-to-end encrypts communication, making it advantageous for the attackers.
Removal of this malware
We used the sample d4dd9f3c383ca894696a6cc8b923a037b4df1c6ab25496d204dfb53c79ea221c for analysis. Even though this app stays hidden after installation, it can still be uninstalled as follows:
Settings à Apps and notifications à App info à Select the empty app (this app has no name) à Uninstall
F-Secure Total detects this as – Android/SMS.Thief.FRMC.Gen
Conclusion
As the scam threat landscape evolves continuously, security providers need to be acquainted with it to protect their customers. In this blog we saw how a single elderly scam campaign encompasses several aspects of the scam landscape. It begins as a scam campaign, eventually targeting the elderly. It uses WhatsApp as a medium of communication, and then lures victims into installing an APK that eventually exfiltrates user data to a C2 server hosted on Telegram. Such multifaceted scams are indeed becoming an order of the day.
Categories