Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Android apps targeting JIO users in India

April 08, 2021 - 12 min read


In March 2021, through Zscaler cloud we identified a few download requests for malicious Android applications which were hosted on sites crafted by the threat actor to social engineer users in India. This threat actor leverages latest events and news related to India as a social engineering theme in order to lure users to download and install these malicious Android apps.

We identified several GitHub accounts which are hosting malicious Android mobile apps (APK files) and web pages which are used actively in this campaign.

One of the Android apps masquerades as a TikTok App. In 2020, the TikTok app was banned by the government of India. Attackers are leveraging that theme to lure the users by misinforming them that TikTok is available in India again.

Another instance we observed recently involved the threat actor leveraging a “Free Lenovo Laptop” scheme by Indian government.

In this blog, we will describe the complete infection chain, and the timeline of this threat actor highlighting how they have changed the theme over a period of time to distribute the malicious Android apps.


Per our research, this threat actor has been active in-the-wild since as early as March 2020. We observed a pattern in their tactics, techniques and procedures (TTPs). They leverage popular themes and current events in India and use them as a social engineering technique to lure the user to download their application.

The graphical timeline below shows the different themes used by the threat actor over a period of time.


Figure 1: Timeline showing different themes used by threat actor

Attack flow

Attack infection chain begins with an SMS or a Whatsapp message where the user receives a shortened URL link which ultimately redirects to a website hosted on Weebly and controlled by the attacker. The content of this site is crafted based on current events in India and used for social engineering.

Attack Flow
Figure 2: Attack flow

In the original download request which we observed in Zscaler cloud, the user-agent string was: WhatsApp/ which indicated to us that the link was clicked by the user in a WhatsApp message.

As an example, in one of the instances, the shortened URL redirected the user to the website: https://tiktokplus[.] which looks like shown in Figure 3.

Shortened link: http://tiny[.]cc/Tiktok_pro
URL: https://tiktokplus[.]
GitHub download link: 

Figure 3

Figure 3

This webpage misinforms the user that the TikTok application is available again in India and lures them to download it. The actual APK file is hosted on an attacker-controlled GitHub account.

GitHub account name: breakingnewsIndia
GitHub download link:

During our research on this threat actor, we also identified several more GitHub accounts and the complete list is available in the Indicators of Compromise (IOC) section.

Figure 4 and Figure 5 shows two more such GitHub accounts.

Figure 4

Figure 4

Fivegcovert (5G Covert)

Figure 5
Figure 5

The latest theme used by this threat actor is related to “Free Lenovo laptop scheme by Indian Government”.

Shortened URL: hxxps://tiny[.]cc/Register-Laptop
Final URL: hxxps://govlapp[.]

MD5 hash of APK file:  f9e5fac6a4873f0d74ae37b246692a40 
Package name:  com.jijaei.pikapinjan 

Figure 6 shows the website crafted by the attacker and hosted on which misinforms the user and lures them to download the APK file.

Figure 6
Figure 6

Technical analysis

For the purpose of technical analysis we will look at the APK file with MD5 hash: 5e0ac8784dae349cfa840cbef5bd3dfb

Package name:  heartrate.tracker.cameras 
Mainactivity:  heartrate.tracker.cameras.MainActivity 

Important code sections included below.

// MainActivity

MainActivity does nothing more than simply calling the datalaile.class

// datalaile.class

The datalaile.class performs the following operations:

  1. Checks if required permissions are granted.
  2. If permissions are not granted, request them and if the user denies the permissions shows a Popup message mentioning “Need Permission to start app!!” and again asks the user for permissions
  3. Starts the malicious service from “felavo.class” when permissions are granted
  4. Displays a form for Username and Password input
  5. Performs validation on the entered Username and do further operations

Figure 7

Figure 7: Getting permissions and starting malicious service

Username Validation

Although the Username is expected to be in the form of a mobile number as per the error message but there is no explicit check for that. It only checks if the Username length is at least 4 characters else displays a message asking the user to enter the correct number.

Figure 8
Figure 8: Username validation

If the check passes it shows a Popup message to start TikTok which when clicked calls the sendmsg.class

// sendmsg.class

The sendmsg.class prompts the user to share the app 10 times on WhatsApp. There is no check to identify if WhatsApp is installed or not. In case WhatsApp is not installed a Toast message is shown “WhatsApp not Installed” but the counter still decrements. 

The shared message has the following content:

“*Tiktok is back in India*\n\n*Enjoy Tiktok Videos again and also*\n*make Creative videos again with*\n*new Features.*\n\n*Tiktok is now Partner with Jio.*\n\n*NOTE : All users can use their old Id.*\n\n*Now Tiktok is only available on*\n*TiktokPro android app.*\n\n*Link:*” 

As we can see, the above message contains a shortened URL which lures the user into downloading this malicious app.

Figure 9 shows the code flow for sharing the app on WhatsApp

Figure 9
Figure 9: Sharing app on WhatsApp

Figure 10 shows the interface displayed by the app which prompts the user to share it with their contacts through WhatsApp 10 times.

Figure 10

Figure 10: Message shown to user to prompt sharing with contacts through WhatsApp 

After the app is shared 10 times on WhatsApp, the user is displayed a congratulation message with a Continue button which when clicked calls the clickendra.class

// clickendra.class

The clickendra.class asks the user to perform a few more steps to get started with the app, then displays some Ads to the user and finally shows a message that Tiktok will start in 1-HOUR.

Figure 11 below shows the final message displayed to the user

Figure 11
Figure 11: 1-HOUR app start message displayed to the user 

Display Ads

These apps are used by the threat actor to generate revenue by displaying interstitial advertisements to the user. There are two software development kits (SDKs) used for this purpose. If it fails to retrieve advertisements using one SDK, then it uses the next SDK as a failover mechanism.

Below two SDKs were used in the app.

  1. AppLovin
  2. StartApp

At first, the AppLovin SDK is initialized and context is set. In order to leverage AppLovin SDK to display advertisements, a developer needs to use the SDK key obtained from AppLovin interface. In the case of this app, we can find the SDK key configured in AndroidManifest.xml as shown in Figure 12.

Figure 12
Figure 12: AppLovin SDK key configured in AndroidManifest.xml file

Before displaying the Ads a fake view is created for the user which contains a fake text message and a fake progress bar on top of all the elements.

After setting the fake view, a request to fetch the Ads is sent. If the Ad is received successfully, then it is displayed and the fake progress bar is hidden, else a request to load the next Ad is sent.

If the next Ad load request also fails, then the StartApp SDK is initialized to load the Ads. If startApp SDK is also unable to receive the Ad, then the “lastactivity.class” is called.

Figure 13 below shows the Ad displayed to the user

Figure 13
Figure 13: Ad displayed to the user

// lastactivity.class

It changes the content view, initializes the StartApp SDK again and creates a fake progress bar as earlier. If the Ad is received, then it is displayed to the user, else the message shown in Figure 11 above is displayed and no further activity is done. 

// Inside the service felavo.class

The main objective of the code implemented for the service is to spread the malware to more users. The service felavo.class performs the following operations:


The decoy message used to spread the application is stored in encrypted form. In the initialization phase the service configures the cryptographic context which is later used to decrypt the decoy message. 

Note: In some cases it is just the left over code which executes but the decrypted decoy message is never used. Instead a hard coded message is already configured in the function where the decrypted decoy message is supposed to be used.

Among all the analysed samples we found two cryptographic algorithms in use:

1.  AES/CBC/NoPadding

     128-bit Key: 9876543210wsxzaq

2. DESede 

    Key: ThisIsSpartaThisIsSparta

SMS-based spreading

The spreading operation performed by the service is through SMS. Currently the malware targets only JIO customer base. Before sending the SMS to any number in the infected device’s contact list, the malware confirms that the operator is JIO. Methods of identification are explained under the Contacts Operator Identification section.

SIM Identification

SIM identification is done to determine the SIM slot to be used later for sending the SMS.

To identify the SIM card following operations are performed:

  1. If Android SDK version >= 22 and READ_PHONE_STATE permission is granted, then fetch Sim slot number and Carrier name else fetch the operator names corresponding to the SIM cards on the current device.
  2. Checks if fetched information contains - JIO, AIRTEL, IDEA, VODAFONE or VI
  3. If any of the above string is present then check and return the SIM slot number else return the value “default”

Figure 14

Figure 14: Fetching SIM information

Figure 15

Figure 15: Matching operator string

Contacts Operator Identification

As stated earlier, the targeted user base for the attacker is JIO users. The contact numbers in the user’s contact list are identified to be JIO users in two steps:

Note: Before identification, all the contacts are fetched, sanitized, processed as per specified format and then saved in a list.

Step-1: There is a hardcoded list of the first 4 digits of mobile numbers that are specific to JIO. All the retrieved contacts are checked using this list and a separate list of identified contacts is created.
Figure 16 below shows the code which uses the mobile number as an input and checks the first 4 digits.

Figure 16
Figure 16: Checks first 4 digits of the mobile number

Step-2: The numbers which are not identified in the first step are identified again by sending a network request to the URL “”, configured with all the required parameters. Identified contacts are again stored in a separate list.

Figure 17 below shows the network request sent with required parameters and checks performed on response data

Figure 17
Figure 17: Sending network request and checking response 

If the response code is success then it perform two checks:

  1. If the response data contains “NOT_SUBSCRIBED_USER” then the mobile number doesn’t belong to a JIO user 
  2. If the response data contains the mobile number being identified then it is a registered JIO user

Sending SMS

Identify SIM slot to send the SMS based on the value of the second parameter which is the value obtained from the SIM identification section.

Figure 18 below shows the code snippet responsible for sending SMS

Figure 18

Figure 18: Sending SMS

Zscaler cloud sandbox report

Figure 19 shows the Zscaler Cloud Sandbox successfully detecting this Android mobile-based threat.

Figure 19
Figure 19: Zscaler cloud sandbox report


Summary of TTPs

We can summarise the tactics, techniques and procedures (TTPs) as follows.

  • They use URL shortening service to create shortened URLs which are sent in messages in the spreading stage.
  • Web pages are hosted on on an attacker-controlled account.
  • The actual APK file is hosted on a GitHub account which is registered by the attacker. Names of these accounts are chosen to look relevant to India or themes popular in India.
  • The AES / DES decryption keys in the code are re-used by the threat actor.
  • Users of JIO mobile service provider in India are specifically targeted.


This threat actor stays up-to-date with the latest events in India and leverages them for social engineering.

Users must exercise caution before downloading and installing Android applications from untrusted and third party sources, even if these links are received from mutual contacts on their Android device. Also, as seen in this attack, the malicious download links are sent through user's existing contact list.

Apps such as TikTok must only be downloaded from official sources.

The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe.







Obfuscated Files or Information

Strings inside the app are encrypted using AES or DES


Access Contact List

Filters JIO contacts from user’s contact list


Deliver Malicious App via Other Means

Delivers app via WhatsApp or SMS spam


Masquerade as Legitimate Application

Apps created uses legit themes


SMS Control

Send SMS in the background


Indicators of Compromise

MD5 hashes

// Laptop Theme


// PUBG Theme


// Cricket Theme


// Corona Theme


// TikTok Theme

Note: This is the truncated MD5 list


// JIO theme


Few unique package names


Few distribution URLs


Github usernames



form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.