All of these samples use Spynote RAT.<\/p>\n
Spynote:<\/strong><\/h5>\nSpynote is a RAT (Remote Administration tool), which allows malware authors to take complete takeover of an infected device. It has different versions that has evolved over time and provides different features for spying on infected devices. These features mainly include stealing SMS messages, contact details etc. Spynote has its own site \u2013 spynote[.]us. The domain is seized by FBI recently.<\/p>\n
![\"screen-shot](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2020\/05\/fig1-300x158.png\")
<\/p>\n
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0fig.1 Seized Spynote domain<\/p>\n
Here is a comparison of the old malware APK and the recent Aarogya Setu Fake application<\/strong>,<\/p>\nOld Malware sample IOC : 7ab951806650fb865436f03dedc0555b<\/p>\n
Aarogya Setu Fake sample IOC : df5698d5aef850b217cbbfa9789bd347<\/p>\n
Both these apps carry legitimate application in its “res\/raw” directory named as “google.apk”. These files are of applications which they want to make as a target. For this Aarogya Setu Fake app it is an apk file of Official Aarogya Setu app. At the time of launch, the malware installs this legitimate application and hides itself. After that it starts its malicious activity silently in the background.<\/p>\n
fig.2 (a) is code snippet of message stealing code from implemented onReceive<\/em> method of the BroadcastReceiver<\/em> class C10. In this method malware takes message text and assigns it to variable from C11 service. This service in these applications is responsible for their malicious activity. These two apps have similar code.<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2020\/05\/fig2a-300x148.png\")
<\/p>\n
\u00a0 fig.2(a)\u00a0 Aarogya Setu Fake app code accessing SMS text<\/p>\n
As the fake Aarogya Setu app is targeting the official Aarogya Setu application, malware authors have done changes accordingly. They have added Aarogya Setu icon in ic_launcher<\/em>. To set the name of application as Aarogya Setu, they have changed the value of android:label<\/em> in AndroidManifest.xml<\/em> and as per that value is changed in res->values->string.xml<\/em>. See in fig.2(b).<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2020\/05\/fig2b-300x143.png\")
\u00a0fig.2(b) Icon comparison<\/p>\n
IoC\u2019s ( Apps which impersonate Aarogya setu app and\/or use similar package name or same icon or both) –<\/p>\n
df5698d5aef850b217cbbfa9789bd347<\/p>\n
bbe84ba545d652d9e06635a6e89d48b5<\/p>\n
ecaeb619b1226a5e22caed93478fc0ba<\/p>\n
5ab7bbba0de6d8a74782f107e7a37cc1<\/p>\n
e5e44ac40123023eebd5caf9662f05d1<\/p>\n
Bfa19e91bb4b25d34ac10ad7b9fc5df2<\/p>\n
Aarogya Setu patched with Metasploit:<\/strong><\/h4>\nWe came across one application which is a patched version of the official Aarogya Setu application version 1.04. The app is created by patching the official app with package name \u201cxrcpryfabq.peotrafpop<\/em>\u201d. This package contains Metasploit code.<\/p>\nWhat is Metasploit?<\/strong> – Metasploit is an exploitation framework used for penetration testing. It contains many exploits and payloads. Here this Metasploit has Trojan downloader code. Malware authors just added one line of the code to start activity from Metasploit code without changing the remaining code of the official app.<\/p>\nFig.3(a) shows that one line added code nwvrhdtun.start()<\/em> in Oncreate<\/em> method of application class to start Metasploit activity , Fig.3(b) shows added Metasploit package xrcpryfabq.peotrafpop<\/em>.<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2020\/05\/fig3ab-300x255.png\")
<\/p>\n
Below fig.3(c) shows package from Metasploit payload, which is created using \u201cmsfvenom<\/em>\u201d command. Same package is patched in the official Aarogya Setu application to convert this into a malicious application.<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2020\/05\/fig3c-300x202.png\")
<\/p>\n
fig.3(c)<\/p>\n
Malicious App IoC: 2b67566ecdb6fb9fb625508cc0bafa97<\/p>\n
Android Trojan dropper malware uses fame of Aarogya Setu:-<\/strong><\/h4>\nWe got some malicious samples that use the same package name as Aarogya Setu’s i.e.”nic.goi.aarogyasetu”<\/em>. All these samples are trojan dropper malware. The code used is similar to the code used in the infected CamScanner application that surfaced last year.<\/p>\nThese samples contain encrypted \u201cmutter.zip<\/em>\u201d file in its asset directory. There is a class named as \u201cDuration<\/em>\u201d which has a code to decrypt this mutter.zip<\/em> file. This mutter.zip<\/em> file contains malicious code for downloading malware files.<\/p>\nFortunately, these fake Aarogya Setu applications will not get installed on users device, as one of the attribute of application tag in manifest file \u201candroid:testOnly<\/em>\u201d is set to true and these apps are not properly signed. Looks like these malwares are in development phase but in future malware authors may come up with improved versions of these.<\/p>\nBelow IOC\u2019s are of malicious samples which have similar package name as of Aarogya Setu application:<\/p>\n
05d3004cab3626c2d09a45ed5ca9b3fd<\/p>\n
0ab6b90d044ba4ca847849617769d563<\/p>\n
1627d6bc5b521e20e0a6eb107b6b8102<\/p>\n
3f06bc51873f08e89d968546da8264ab<\/p>\n
52bb57bbc86d9d3b2125a50efc1f2594<\/p>\n
Spreading vectors:<\/strong><\/h4>\nThese applications are not available on Google Play Store, but still malware authors are trying to promote these to unsuspecting users by various ways. How they can do this? This section tries to answer this question.<\/p>\n
1] YouTube and other social media comments:<\/strong><\/h5>\nWhile searching for Aarogya Setu related videos on YouTube, we came across one video on “how to download Aarogya Setu app”. This video is uploaded one month back but still is an example of spreading vector.<\/p>\n
In the comment section of this video one person commented a link saying that this is an alternate link to download the Aarogya Setu app. This link opens a page with option to generate link, after clicking on that it redirects to different page each time. In this process, it downloads an apk with name “setting.apk” [IOC: da4eca06258b72341abe469c3d022d81] and this is nothing but a trojan dropper app.<\/p>\n
![\"YouTube](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2020\/05\/fig4-289x300.png\")
\u00a0fig.4 YouTube comment promoting malicious App<\/p>\n
2] WhatsApp and other social media messages:<\/strong><\/h5>\n
<\/p>\nOld Malware sample IOC : 7ab951806650fb865436f03dedc0555b<\/p>\n
Aarogya Setu Fake sample IOC : df5698d5aef850b217cbbfa9789bd347<\/p>\n
Both these apps carry legitimate application in its “res\/raw” directory named as “google.apk”. These files are of applications which they want to make as a target. For this Aarogya Setu Fake app it is an apk file of Official Aarogya Setu app. At the time of launch, the malware installs this legitimate application and hides itself. After that it starts its malicious activity silently in the background.<\/p>\n
fig.2 (a) is code snippet of message stealing code from implemented onReceive<\/em> method of the BroadcastReceiver<\/em> class C10. In this method malware takes message text and assigns it to variable from C11 service. This service in these applications is responsible for their malicious activity. These two apps have similar code.<\/p>\n \u00a0 fig.2(a)\u00a0 Aarogya Setu Fake app code accessing SMS text<\/p>\n As the fake Aarogya Setu app is targeting the official Aarogya Setu application, malware authors have done changes accordingly. They have added Aarogya Setu icon in ic_launcher<\/em>. To set the name of application as Aarogya Setu, they have changed the value of android:label<\/em> in AndroidManifest.xml<\/em> and as per that value is changed in res->values->string.xml<\/em>. See in fig.2(b).<\/p>\n IoC\u2019s ( Apps which impersonate Aarogya setu app and\/or use similar package name or same icon or both) –<\/p>\n df5698d5aef850b217cbbfa9789bd347<\/p>\n bbe84ba545d652d9e06635a6e89d48b5<\/p>\n ecaeb619b1226a5e22caed93478fc0ba<\/p>\n 5ab7bbba0de6d8a74782f107e7a37cc1<\/p>\n e5e44ac40123023eebd5caf9662f05d1<\/p>\n Bfa19e91bb4b25d34ac10ad7b9fc5df2<\/p>\n We came across one application which is a patched version of the official Aarogya Setu application version 1.04. The app is created by patching the official app with package name \u201cxrcpryfabq.peotrafpop<\/em>\u201d. This package contains Metasploit code.<\/p>\n What is Metasploit?<\/strong> – Metasploit is an exploitation framework used for penetration testing. It contains many exploits and payloads. Here this Metasploit has Trojan downloader code. Malware authors just added one line of the code to start activity from Metasploit code without changing the remaining code of the official app.<\/p>\n Fig.3(a) shows that one line added code nwvrhdtun.start()<\/em> in Oncreate<\/em> method of application class to start Metasploit activity , Fig.3(b) shows added Metasploit package xrcpryfabq.peotrafpop<\/em>.<\/p>\n Below fig.3(c) shows package from Metasploit payload, which is created using \u201cmsfvenom<\/em>\u201d command. Same package is patched in the official Aarogya Setu application to convert this into a malicious application.<\/p>\n fig.3(c)<\/p>\n Malicious App IoC: 2b67566ecdb6fb9fb625508cc0bafa97<\/p>\n We got some malicious samples that use the same package name as Aarogya Setu’s i.e.”nic.goi.aarogyasetu”<\/em>. All these samples are trojan dropper malware. The code used is similar to the code used in the infected CamScanner application that surfaced last year.<\/p>\n These samples contain encrypted \u201cmutter.zip<\/em>\u201d file in its asset directory. There is a class named as \u201cDuration<\/em>\u201d which has a code to decrypt this mutter.zip<\/em> file. This mutter.zip<\/em> file contains malicious code for downloading malware files.<\/p>\n Fortunately, these fake Aarogya Setu applications will not get installed on users device, as one of the attribute of application tag in manifest file \u201candroid:testOnly<\/em>\u201d is set to true and these apps are not properly signed. Looks like these malwares are in development phase but in future malware authors may come up with improved versions of these.<\/p>\n Below IOC\u2019s are of malicious samples which have similar package name as of Aarogya Setu application:<\/p>\n 05d3004cab3626c2d09a45ed5ca9b3fd<\/p>\n 0ab6b90d044ba4ca847849617769d563<\/p>\n 1627d6bc5b521e20e0a6eb107b6b8102<\/p>\n 3f06bc51873f08e89d968546da8264ab<\/p>\n 52bb57bbc86d9d3b2125a50efc1f2594<\/p>\n These applications are not available on Google Play Store, but still malware authors are trying to promote these to unsuspecting users by various ways. How they can do this? This section tries to answer this question.<\/p>\n While searching for Aarogya Setu related videos on YouTube, we came across one video on “how to download Aarogya Setu app”. This video is uploaded one month back but still is an example of spreading vector.<\/p>\n In the comment section of this video one person commented a link saying that this is an alternate link to download the Aarogya Setu app. This link opens a page with option to generate link, after clicking on that it redirects to different page each time. In this process, it downloads an apk with name “setting.apk” [IOC: da4eca06258b72341abe469c3d022d81] and this is nothing but a trojan dropper app.<\/p>\n<\/p>\n\u00a0fig.2(b) Icon comparison<\/p>\nAarogya Setu patched with Metasploit:<\/strong><\/h4>\n
<\/p>\n<\/p>\nAndroid Trojan dropper malware uses fame of Aarogya Setu:-<\/strong><\/h4>\n
Spreading vectors:<\/strong><\/h4>\n
1] YouTube and other social media comments:<\/strong><\/h5>\n
\u00a0fig.4 YouTube comment promoting malicious App<\/p>\n2] WhatsApp and other social media messages:<\/strong><\/h5>\n