How does the Trojan malware works?<\/strong><\/h4>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig1-650x243.jpg\")
<\/p>\n
Fig.1: Malicious web page<\/em><\/p>\nThe above webpage Fig. 1 shows how hackers misguide users to download an app for the vaccination registration for the 18+ age groups. But in reality, it downloads a malicious APK after clicking on the \u201cDownload Now\u201d button. The malicious APK is hosted on the GitHub account, and we got few similar apps with different app name in them. You can find the GitHub account link here<\/a>. On monitoring this campaign, we got some other GitHub accounts, which also host similar APKs as shown in Fig.2 and Fig.3.<\/p>\n <\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/fig2-650x292.jpg\")
<\/p>\n
Fig2: GitHub account projectpro1 with malicious APK<\/em><\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig3-650x304.jpg\")
<\/p>\n
Fig3: GitHub account mybestnews with malicious APK<\/em><\/p>\n <\/p>\n
On the first launch, the application takes few suspicious permissions like access contact, send and view SMS, make a call, etc. Fig. 4 shows permissions which it asks for the Fake vaccine registration application.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/fig4-591x390.jpg\")
<\/p>\n
Fig 4 Fake vaccine registration app.<\/em><\/p>\n <\/p>\n
Technical analysis:<\/strong><\/p>\nThe malware App does some checks shown in Fig. 5 like, Emulator, ADB enabled or not, debugger check. It also collects information on all installed applications on the infected device.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig5-650x237.jpg\")
<\/p>\n
Fig 5: ADB and Debugger check<\/em><\/p>\n <\/p>\n
First, it asks for the mobile number for the registration purpose. But on clicking the register now button, it only checks the length of the entered mobile number. If it is not greater than equal to 4 characters (as shown in Fig. 6) or if it is less than 4 characters, it displays a message \u201cPlease Enter your Correct Number!!\u201d<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig6-650x101.jpg\")
<\/p>\n
Fig 6: Mobile number check<\/em><\/p>\n <\/p>\n
Spreading through SMS:<\/strong><\/p>\nThe malware collects contact information from the infected device.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig7-466x390.jpeg\")
<\/p>\n
Fig 7: Collecting contacts <\/em><\/p>\n <\/p>\n
Malware targets only Jio operators and spreads to contacts who are using Jio sim card. To identify the Jio user, the malware checks the first 4 characters of the mobile number with the list of number that Jio serves. Secondly, it queries a public web API of Jio and checks the response. Below fig. 8 shows the checking of Jio numbers.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig8-650x78.jpg\")
<\/p>\n
Fig 8: Checking the first 4 characters of the number.<\/em><\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig9-328x390.jpg\")
<\/p>\n
Fig 9: checking the response from Web API<\/em><\/p>\n <\/p>\n
The unidentified numbers are checked by querying a public web API of Jio as shown in Fig.9. In response, it checks for the string NOT_SUBSCRIBED_USER. And if the response contains a mobile number, then it is considered as a Jio number. After identifying the Jio number, it collects it in a separate list and starts sending SMS using the default sim operator as shown in Fig. 10.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig10-650x87.jpg\")
<\/p>\n
Fig 10: Sending SMS<\/em><\/p>\n <\/p>\n
Spreading through WhatsApp:<\/strong><\/p>\nThe malware does not automatically spread through WhatsApp. It gives a dialogue box of \u201cShare this APP on WhatsApp groups 10 Times to Start Registration” shows in Fig 11.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig11-351x390.jpg\")
<\/p>\n
Fig 11: Malware spreading through WhatsApp<\/em><\/p>\n <\/p>\n
On clicking the button \u201cShare on WhatsApp\u201d, the malware copies the message to the clipboard. The malware does not validate whether the message is shared on WhatsApp or not. It only counts the number of clicks on the \u201cShare on WhatsApp\u201d. Fig 12 and Fig. 13 shows the WhatsApp sharing code.<\/p>\n
The message shared on the WhatsApp groups:<\/p>\n
Register for Vaccine Now*\\n*from age 18+*\\n\\n*No Fees will be taken.*\\n*It’s absolutely Free.*\\n\\n*Download VacciRegis android app*\\n*and Register for vaccine*\\n*in India*\\n\\n*Link:* <\/strong>http[:]\/\/tiny.cc\/COVID-VACCINE<\/strong><\/p>\n <\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig12-523x390.jpg\")
<\/p>\n
Fig 12: Spreading through WhatsApp<\/em><\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/05\/Fig13-650x261.jpg\")
<\/p>\n
Fig 13:\u00a0 Completion of message sharing on WhatsApp<\/em><\/p>\n <\/p>\n
The main goal of the app is to generate revenue by displaying ads and spreading itself through the victim\u2019s contact list and through SMS. At Quick Heal, we have collected multiple variants of this malicious App and all are detected with the name \u201cAndroid.GoodNews.GEN41898\u201d. All these malicious applications are signed with the same digital certificate, which means the malware is written by a single malware author.<\/p>\n
IOCs<\/strong><\/p>\n
<\/p>\nThe above webpage Fig. 1 shows how hackers misguide users to download an app for the vaccination registration for the 18+ age groups. But in reality, it downloads a malicious APK after clicking on the \u201cDownload Now\u201d button. The malicious APK is hosted on the GitHub account, and we got few similar apps with different app name in them. You can find the GitHub account link here<\/a>. On monitoring this campaign, we got some other GitHub accounts, which also host similar APKs as shown in Fig.2 and Fig.3.<\/p>\n <\/p>\n Fig2: GitHub account projectpro1 with malicious APK<\/em><\/p>\n Fig3: GitHub account mybestnews with malicious APK<\/em><\/p>\n <\/p>\n On the first launch, the application takes few suspicious permissions like access contact, send and view SMS, make a call, etc. Fig. 4 shows permissions which it asks for the Fake vaccine registration application.<\/p>\n Fig 4 Fake vaccine registration app.<\/em><\/p>\n <\/p>\n Technical analysis:<\/strong><\/p>\n The malware App does some checks shown in Fig. 5 like, Emulator, ADB enabled or not, debugger check. It also collects information on all installed applications on the infected device.<\/p>\n <\/p>\n Fig 5: ADB and Debugger check<\/em><\/p>\n <\/p>\n First, it asks for the mobile number for the registration purpose. But on clicking the register now button, it only checks the length of the entered mobile number. If it is not greater than equal to 4 characters (as shown in Fig. 6) or if it is less than 4 characters, it displays a message \u201cPlease Enter your Correct Number!!\u201d<\/p>\n <\/p>\n Fig 6: Mobile number check<\/em><\/p>\n <\/p>\n Spreading through SMS:<\/strong><\/p>\n The malware collects contact information from the infected device.<\/p>\n <\/p>\n Fig 7: Collecting contacts <\/em><\/p>\n <\/p>\n Malware targets only Jio operators and spreads to contacts who are using Jio sim card. To identify the Jio user, the malware checks the first 4 characters of the mobile number with the list of number that Jio serves. Secondly, it queries a public web API of Jio and checks the response. Below fig. 8 shows the checking of Jio numbers.<\/p>\n <\/p>\n Fig 8: Checking the first 4 characters of the number.<\/em><\/p>\n Fig 9: checking the response from Web API<\/em><\/p>\n <\/p>\n The unidentified numbers are checked by querying a public web API of Jio as shown in Fig.9. In response, it checks for the string NOT_SUBSCRIBED_USER. And if the response contains a mobile number, then it is considered as a Jio number. After identifying the Jio number, it collects it in a separate list and starts sending SMS using the default sim operator as shown in Fig. 10.<\/p>\n Fig 10: Sending SMS<\/em><\/p>\n <\/p>\n Spreading through WhatsApp:<\/strong><\/p>\n The malware does not automatically spread through WhatsApp. It gives a dialogue box of \u201cShare this APP on WhatsApp groups 10 Times to Start Registration” shows in Fig 11.<\/p>\n Fig 11: Malware spreading through WhatsApp<\/em><\/p>\n <\/p>\n On clicking the button \u201cShare on WhatsApp\u201d, the malware copies the message to the clipboard. The malware does not validate whether the message is shared on WhatsApp or not. It only counts the number of clicks on the \u201cShare on WhatsApp\u201d. Fig 12 and Fig. 13 shows the WhatsApp sharing code.<\/p>\n The message shared on the WhatsApp groups:<\/p>\n Register for Vaccine Now*\\n*from age 18+*\\n\\n*No Fees will be taken.*\\n*It’s absolutely Free.*\\n\\n*Download VacciRegis android app*\\n*and Register for vaccine*\\n*in India*\\n\\n*Link:* <\/strong>http[:]\/\/tiny.cc\/COVID-VACCINE<\/strong><\/p>\n <\/p>\n Fig 12: Spreading through WhatsApp<\/em><\/p>\n Fig 13:\u00a0 Completion of message sharing on WhatsApp<\/em><\/p>\n <\/p>\n The main goal of the app is to generate revenue by displaying ads and spreading itself through the victim\u2019s contact list and through SMS. At Quick Heal, we have collected multiple variants of this malicious App and all are detected with the name \u201cAndroid.GoodNews.GEN41898\u201d. All these malicious applications are signed with the same digital certificate, which means the malware is written by a single malware author.<\/p>\n IOCs<\/strong><\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n