{"id":89866,"date":"2021-05-18T21:05:24","date_gmt":"2021-05-18T15:35:24","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=89866"},"modified":"2023-06-17T17:01:16","modified_gmt":"2023-06-17T11:31:16","slug":"beware-of-fake-oximeter-apps-they-can-steal-your-banking-credentials","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/beware-of-fake-oximeter-apps-they-can-steal-your-banking-credentials\/","title":{"rendered":"Beware of Fake Oximeter Apps: They Can Steal Your Banking Credentials"},"content":{"rendered":"

No one had expected a new chapter to the current life devouring pandemic. People crawled from one situation to another, and so did the malware trend. Several apps were developed in different countries and states for easy management and tracking of COVID-19<\/a> cases. At Quick Heal Security Labs, we have been tracking such applications to identify malware-laced apps misusing the official apps meant to ease the lives of people and authorities.<\/p>\n

As mentioned in our previous blog, various Arogya Setu apps<\/a> were found malicious. Malware authors make use of apps that are already launched and keep sneaking on current statements made by authorities regarding apps that will use for vaccination registration. A similar app was found and mentioned in the earlier blog regarding the co-win app. A new malicious application serving the same purpose has come to light, along with another app that was meant to check a person’s oxygen saturation level.<\/p>\n

Trojan masquerading as benign oximeter app<\/strong><\/h2>\n

 <\/p>\n

\"\"\"\"<\/p>\n

Two similar apps imitating legitimate oximeter and vaccine registration app<\/a> are found, as mentioned in Karnataka\u00a0<\/span>DGP’s tweet<\/span><\/a> last week. Fake oximeter apps were found that took user’s fingerprint data for Google Pay, PhonePe, Paytm, etc. This app is cut from the same cloth. It asks for contacts and SMS permission which seems unnecessary for an app that would check oxygen saturation level. It accesses contacts and sends a link to every contact in the system via SMS and WhatsApp message, which is hosted on some mega account which on download turns out to be a banking trojan<\/a>-banker.<\/span><\/p>\n

Inspection bypass and distribution tricks<\/span><\/strong><\/h3>\n

Malware authors are evolving with their techniques every day. One of the essential things in malware’s success is distribution. For Android users, Google Play Store is the most sought-after market to get free and paid apps, and that is where the effective target lies. Malware authors apply different tricks to bypass Google Play Store restrictions. Some of the tricks used to publish apps and distribute via specific other means are:<\/span><\/p>\n

    \n
  1. Authors use firebase to initiate malicious functions before and after the app is published. Firebase being Google’s product becomes less suspicious in its activities.<\/span><\/li>\n
  2. Authors use GitHub and mega accounts to deploy their payloads.<\/span><\/li>\n
  3. Authors use different app markets and repositories to distribute their malware other than Google Play, e.g., Koodous, QooApp, Huawei AppGallery, Apkpure, and many more. People who want certain removed apps from Play Store go to repos., like Apkpure, Apkmirror, and Koodous, and bumps into malware.<\/span><\/li>\n<\/ol>\n

     <\/p>\n

    Technical analysis<\/strong><\/h3>\n

    \"\"<\/p>\n

    Fig.1 Asking contacts and send SMS permission<\/em><\/p>\n

    onCreate method requesting for permissions and calling the method “sendO2toContacts” which is the malicious method that carries out the further activity.<\/p>\n

    \"\"<\/p>\n

    Fig.2 Calling method sendO2toContacts<\/em><\/p>\n

    sendO2toContacts calls a method “getAllContacts” that collects every contact number from the system. It then gets a link for SMS and WhatsApp and iterates over an array of contacts and calls the methods that send those links via SMS and WhatsApp.<\/p>\n

    \"\"<\/p>\n

    Fig.3 Driver function for malicious activity<\/em><\/p>\n

    sendO2ViaSMS function return a decoded bas64 hash that decodes to “hxxps:\/\/mega[.]nz\/file\/Zhh0RSJQ#81GUF7ruoEv9itdyh_kswLlBYWoAe0TwMLt4MTM9V4g<\/strong>”<\/p>\n

    \"\"<\/p>\n

    Fig<\/em>.4 Malicious<\/em> link<\/p>\n

    Visiting this link takes us to the mega[.]nz page that has an APK file ready to be downloaded.<\/p>\n

    \"\"<\/p>\n

    Fig.5 Banker trojan<\/em><\/p>\n

    Though we can see the name of the app is Oxygen Saturation Checker.apk<\/em><\/strong> it actually is a “pamdemicdestek.apk” file and is detected by Quick Heal by the name Android.Anubis.GEN30551<\/a>.<\/p>\n