In March 2021, through Zscaler cloud we identified a few download requests for malicious Android applications which were hosted on sites crafted by the threat actor to social engineer users in India. This threat actor leverages latest events and news related to India as a social engineering theme in order to lure users to download and install these malicious Android apps.
We identified several GitHub accounts which are hosting malicious Android mobile apps (APK files) and web pages which are used actively in this campaign.
One of the Android apps masquerades as a TikTok App. In 2020, the TikTok app was banned by the government of India. Attackers are leveraging that theme to lure the users by misinforming them that TikTok is available in India again.
Another instance we observed recently involved the threat actor leveraging a “Free Lenovo Laptop” scheme by Indian government.
In this blog, we will describe the complete infection chain, and the timeline of this threat actor highlighting how they have changed the theme over a period of time to distribute the malicious Android apps.
Per our research, this threat actor has been active in-the-wild since as early as March 2020. We observed a pattern in their tactics, techniques and procedures (TTPs). They leverage popular themes and current events in India and use them as a social engineering technique to lure the user to download their application.
The graphical timeline below shows the different themes used by the threat actor over a period of time.
Figure 1: Timeline showing different themes used by threat actor
Attack infection chain begins with an SMS or a Whatsapp message where the user receives a shortened URL link which ultimately redirects to a website hosted on Weebly and controlled by the attacker. The content of this site is crafted based on current events in India and used for social engineering.
Figure 2: Attack flow
In the original download request which we observed in Zscaler cloud, the user-agent string was: WhatsApp/220.127.116.11 which indicated to us that the link was clicked by the user in a WhatsApp message.
As an example, in one of the instances, the shortened URL redirected the user to the website: https://tiktokplus[.]weebly.com/ which looks like shown in Figure 3.
Shortened link: http://tiny[.]cc/Tiktok_pro
GitHub download link: https://github.com/breakingnewsindia/t1/raw/main/Tiktik-h.apk
This webpage misinforms the user that the TikTok application is available again in India and lures them to download it. The actual APK file is hosted on an attacker-controlled GitHub account.
GitHub account name: breakingnewsIndia
GitHub download link: https://github.com/breakingnewsindia/t1/
During our research on this threat actor, we also identified several more GitHub accounts and the complete list is available in the Indicators of Compromise (IOC) section.
Figure 4 and Figure 5 shows two more such GitHub accounts.
Fivegcovert (5G Covert)
The latest theme used by this threat actor is related to “Free Lenovo laptop scheme by Indian Government”.
Shortened URL: hxxps://tiny[.]cc/Register-Laptop
Final URL: hxxps://govlapp[.]weebly.com/
MD5 hash of APK file: f9e5fac6a4873f0d74ae37b246692a40
Package name: com.jijaei.pikapinjan
Figure 6 shows the website crafted by the attacker and hosted on weebly.com which misinforms the user and lures them to download the APK file.
For the purpose of technical analysis we will look at the APK file with MD5 hash: 5e0ac8784dae349cfa840cbef5bd3dfb
Package name: heartrate.tracker.cameras
Important code sections included below.
MainActivity does nothing more than simply calling the datalaile.class
The datalaile.class performs the following operations:
Figure 7: Getting permissions and starting malicious service
Although the Username is expected to be in the form of a mobile number as per the error message but there is no explicit check for that. It only checks if the Username length is at least 4 characters else displays a message asking the user to enter the correct number.
Figure 8: Username validation
If the check passes it shows a Popup message to start TikTok which when clicked calls the sendmsg.class
The sendmsg.class prompts the user to share the app 10 times on WhatsApp. There is no check to identify if WhatsApp is installed or not. In case WhatsApp is not installed a Toast message is shown “WhatsApp not Installed” but the counter still decrements.
The shared message has the following content:
“*Tiktok is back in India*\n\n*Enjoy Tiktok Videos again and also*\n*make Creative videos again with*\n*new Features.*\n\n*Tiktok is now Partner with Jio.*\n\n*NOTE : All users can use their old Id.*\n\n*Now Tiktok is only available on*\n*TiktokPro android app.*\n\n*Link:* http://tiny.cc/Tiktok_pro”
As we can see, the above message contains a shortened URL which lures the user into downloading this malicious app.
Figure 9 shows the code flow for sharing the app on WhatsApp
Figure 9: Sharing app on WhatsApp
Figure 10 shows the interface displayed by the app which prompts the user to share it with their contacts through WhatsApp 10 times.
Figure 10: Message shown to user to prompt sharing with contacts through WhatsApp
After the app is shared 10 times on WhatsApp, the user is displayed a congratulation message with a Continue button which when clicked calls the clickendra.class
The clickendra.class asks the user to perform a few more steps to get started with the app, then displays some Ads to the user and finally shows a message that Tiktok will start in 1-HOUR.
Figure 11 below shows the final message displayed to the user
Figure 11: 1-HOUR app start message displayed to the user
These apps are used by the threat actor to generate revenue by displaying interstitial advertisements to the user. There are two software development kits (SDKs) used for this purpose. If it fails to retrieve advertisements using one SDK, then it uses the next SDK as a failover mechanism.
Below two SDKs were used in the app.
At first, the AppLovin SDK is initialized and context is set. In order to leverage AppLovin SDK to display advertisements, a developer needs to use the SDK key obtained from AppLovin interface. In the case of this app, we can find the SDK key configured in AndroidManifest.xml as shown in Figure 12.
Figure 12: AppLovin SDK key configured in AndroidManifest.xml file
Before displaying the Ads a fake view is created for the user which contains a fake text message and a fake progress bar on top of all the elements.
After setting the fake view, a request to fetch the Ads is sent. If the Ad is received successfully, then it is displayed and the fake progress bar is hidden, else a request to load the next Ad is sent.
If the next Ad load request also fails, then the StartApp SDK is initialized to load the Ads. If startApp SDK is also unable to receive the Ad, then the “lastactivity.class” is called.
Figure 13 below shows the Ad displayed to the user
Figure 13: Ad displayed to the user
It changes the content view, initializes the StartApp SDK again and creates a fake progress bar as earlier. If the Ad is received, then it is displayed to the user, else the message shown in Figure 11 above is displayed and no further activity is done.
The main objective of the code implemented for the service is to spread the malware to more users. The service felavo.class performs the following operations:
The decoy message used to spread the application is stored in encrypted form. In the initialization phase the service configures the cryptographic context which is later used to decrypt the decoy message.
Note: In some cases it is just the left over code which executes but the decrypted decoy message is never used. Instead a hard coded message is already configured in the function where the decrypted decoy message is supposed to be used.
Among all the analysed samples we found two cryptographic algorithms in use:
128-bit Key: 9876543210wsxzaq
The spreading operation performed by the service is through SMS. Currently the malware targets only JIO customer base. Before sending the SMS to any number in the infected device’s contact list, the malware confirms that the operator is JIO. Methods of identification are explained under the Contacts Operator Identification section.
SIM identification is done to determine the SIM slot to be used later for sending the SMS.
To identify the SIM card following operations are performed:
Figure 14: Fetching SIM information
Figure 15: Matching operator string
As stated earlier, the targeted user base for the attacker is JIO users. The contact numbers in the user’s contact list are identified to be JIO users in two steps:
Note: Before identification, all the contacts are fetched, sanitized, processed as per specified format and then saved in a list.
Step-1: There is a hardcoded list of the first 4 digits of mobile numbers that are specific to JIO. All the retrieved contacts are checked using this list and a separate list of identified contacts is created.
Figure 16 below shows the code which uses the mobile number as an input and checks the first 4 digits.
Figure 16: Checks first 4 digits of the mobile number
Step-2: The numbers which are not identified in the first step are identified again by sending a network request to the URL “https://www.jio.com/api/jio-recharge-service/recharge/mobility/number/”, configured with all the required parameters. Identified contacts are again stored in a separate list.
Figure 17 below shows the network request sent with required parameters and checks performed on response data
Figure 17: Sending network request and checking response
If the response code is success then it perform two checks:
Identify SIM slot to send the SMS based on the value of the second parameter which is the value obtained from the SIM identification section.
Figure 18 below shows the code snippet responsible for sending SMS
Figure 18: Sending SMS
Figure 19 shows the Zscaler Cloud Sandbox successfully detecting this Android mobile-based threat.
Figure 19: Zscaler cloud sandbox report
We can summarise the tactics, techniques and procedures (TTPs) as follows.
This threat actor stays up-to-date with the latest events in India and leverages them for social engineering.
Users must exercise caution before downloading and installing Android applications from untrusted and third party sources, even if these links are received from mutual contacts on their Android device. Also, as seen in this attack, the malicious download links are sent through user's existing contact list.
Apps such as TikTok must only be downloaded from official sources.
The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe.
Obfuscated Files or Information
Strings inside the app are encrypted using AES or DES
Access Contact List
Filters JIO contacts from user’s contact list
Deliver Malicious App via Other Means
Delivers app via WhatsApp or SMS spam
Masquerade as Legitimate Application
Apps created uses legit themes
Send SMS in the background
// Laptop Theme
// PUBG Theme
// Cricket Theme
// Corona Theme
// TikTok Theme
Note: This is the truncated MD5 list
// JIO theme
Few unique package names
Few distribution URLs