Many fake Arogya Setu apps that we found were Spyware using Spynote RAT.<\/p>\n
Another set of applications which we came across were patched versions of the official Aarogya Setu application version 1.04, created by patching the official app with the package name \u201cxrcpryfabq.peotrafpop<\/em>\u201d that contains Metasploit code.<\/p>\n Similarly, much other malware could be put inside the official Arogya Setu app to create a look-alike, such as Droppers, Bankers, Fakeavs, Key-loggers, Spyware, Ransomware and many more out of which one more group found and detected by Quick Heal was a Trojan-Dropper.<\/p>\n For detailed information visit https:\/\/blogs.quickheal.com\/sure-right-aarogya-setu-app-phone\/<\/a><\/p>\n We have been hearing about many vaccines out of which few are potentially effective. Now when people have started talking about vaccination, scammers started sending fake messages<\/a> wherein, they send links that take users to fraudulent websites, or they ask for personal details and payment information, or they just lure people into replying to that text message that may cost them a fortune.<\/p>\n Whereas India is running down a different phase.<\/p>\n It feels like we have been fighting Covid-19 since ages, but now we have come to the point where potential vaccines are approved by WHO. The USA has already started vaccinating from December 14, 2020, and India is about to start vaccinating its people in different phases. The online space is rife with lots of speculations around how this phase-wise vaccination would work for masses in India. Few claim that Indian Govt is planning to launch a new app named CoWIN to record data of individuals and use this data later during vaccination. The CoWIN app will be a free downloadable mobile application that will help record vaccine data.<\/p>\n Though CoWIN is not yet ready and not launched, malware authors have already rolled up their sleeves to put their malware inside this upcoming application or impersonate it. We found a fake app named \u201cCoWIN App\u201d with the package name \u201cmobi.androapp.co.c9160\u201d, the developer is \u201cPuzzlersWorld\u201d.<\/p>\n It has different tabs, but none of them has any functionality. The tabs only show news thread as shown in fig.7 on every tab, but when it is installed on rooted device and the user clicks on \u201cAndroid app\u201d tab it opens the URL \u201cxxxx:\/\/androapp.mobi\/appCreator\/\/apk\/1872658795fd87db658b8d3.66541642.apk<\/a>\u201d in chrome that asks to download that application as a new app or as an update to the existing app, for which we will have to enable chrome to install unknown apps as discussed earlier.<\/p>\n There are many reasons for creating fake apps elaborated in Quick Heal\u2019s technical paper<\/a>, one of which is a mobile advertisement. Many fakeapps show ads aggressively to generate more revenue in less time. This app is no exception, we found ad modules that create the Ad URL.<\/p>\n It is downloading the video of specific resolution and length.<\/p>\n It also keeps updating the list of ads, that it uses to show to the user.<\/p>\n Arogya Setu app and CoWIN App falls under the category of \u201cFakeApps follow Social Trends\u201d where they are making use of the current situation and deceiving people.<\/p>\n This is just the start, several malicious apps are about to come along with the launch of official CoWIN app, and they might use several other tricks to get into target device either via Google Play Store, Appstore or any other means such as websites, clickjacking, sharing of links via instant messaging apps, emails or SMS, or via direct file transmission. But we need to be aware of tricks that are already discovered and follow certain instructions before installing any application on our system.<\/p>\n <\/p>\n Most people install applications from Google Play Store on Android devices and Appstore in iOS devices, and they [Google Play store, Appstore] do apply some security measures to prevent these malicious applications from entering their store. However, one way or another malware authors find their way to reach their targets either through these platforms or any other website, and how people reach those websites is another story among which sharing link via WhatsApp, email, SMS are common ways. Complete application files could also be shared directly through instant messaging apps like Whatsapp, Facebook messenger, Hike and many more. In such cases, the user is prompted for permission to install apps from unknown sources, which the user needs to allow from the settings as shown below.<\/p>\n On devices running Android 7.0 Nougat or earlier:\u00a0Settings->Security->allow installation from unknown sources<\/strong>.<\/p>\n And this is where the user becomes prone to a myriad of exploits, as malicious applications that could have been detected malicious and filtered by Google Play Store policy has now found its way to enter the end user\u2019s device. Hence by mentioning all those tricks used by threat actors and motto that drives their actions to deceive people by preying on their fears, this blog here is trying to help understand how a simple application that looks so benign could be so monstrous, how malware is put even inside official apps like Arogya Setu and CoWIN. We intend to keep our fellow citizens aware and safe by helping them inculcate sanitary practices before installing any app and following certain tips to stay safe, mentioned below.<\/p>\n 1.Download Applications only from trusted sources like Google Play Store.<\/p>\nGet yourself registered on CoWIN<\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/01\/Picture3-650x215.png\")
<\/p>\n![\"Fig.1](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/01\/Picture4-1.png\")
![\"Fig.2](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/01\/Picture1-607x390.png\")
![\"Fig.](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/01\/Picture2-587x390.png\")
![\"Fig.](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/01\/combined_img-2-650x66.png\")
![\"Fig.](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/01\/download_assets-1-650x144.png\")
![\"Fig.](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/01\/force_update_ad.png\")
Indicator of compromise<\/strong><\/h2>\n
\n\n
\n Package Name<\/td>\n MD5<\/td>\n<\/tr>\n \n mobi.androapp.co.c9160<\/td>\n 52f21a04e4deba639863bd8e277698b4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n ![\"Fig.7](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/01\/1.special_app_access-w782-650x377.png\")
How to stay safe<\/h2>\n