The Fake IRCTC app portrays itself as the legitimate IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.<\/p>\n
This fake app Spyware is able to perform the following actions:<\/p>\n
- \n
- Steal Facebook and Google account credentials.<\/li>\n
- Use accessibility to extract codes from Google Authenticator.<\/li>\n
- Track GPS and network location.<\/li>\n
- Use the Camera API to record and send videos.<\/li>\n
- Gather Installed Applications\u2019 Information on the mobile device.<\/li>\n
- Send all collected information to a C2 server, after which it can obfuscate to hide the host.<\/li>\n<\/ul>\n
The Fake IRCTC App: How it Works<\/h2>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/05\/1-1-300x292.png\")
<\/p>\nFig\u00a001.\u00a0Fake\u00a0App\u00a0in\u00a0the\u00a0name\u00a0of\u00a0IRCTC.<\/em><\/p>\n
When we click on the application icon to launch, it continuously shows us this screen, as given below.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/05\/2-1-178x300.png\")
<\/p>\nFig\u00a002.\u00a0Continuously\u00a0shows\u00a0this\u00a0screen.<\/em><\/p>\n
The fake app then tries to obtain the following permissions on a mobile device:-<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/05\/3-1.png\")
<\/p>\nFig 03. Fake app trying to get permissions on the infected device<\/em><\/p>\n
Behind the scenes, this malware performs a\u00a0 number of malicious activities simultaneously,\u00a0 like stealing location and installed application data<\/em><\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/05\/4-2-300x32.png\")
<\/p>\nFig 04. Taking Installed Applications Information.<\/em><\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/05\/5-1-300x141.png\")
<\/p>\nFig\u00a005.\u00a0Taking\u00a0Location\u00a0Information<\/em><\/p>\n
One of the features of this spyware is the ability to steal Facebook credentials:-<\/em><\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/05\/6-1-300x136.png\")
<\/p>\nFig\u00a006.\u00a0Social\u00a0Media\u00a0Credentials\u00a0Stealing.<\/em><\/p>\n
IRCTC ADVISORY:<\/strong><\/h2>\n
It has been reported that a malicious Android application (irctcconnect.apk) hosted on a phishing website (https:\/\/irctc.creditmobile.site) is being circulated over instant messaging platforms e.g., WhatsApp, Telegram, etc.<\/em><\/p>\n
This android app (APK file) is malicious and infects the mobile device. These fraudsters are sending phishing links at mass level and insisting users to download this android application, impersonating IRCTC officials to trick victims into revealing their sensitive net banking credentials like UPI details, credit\/debit card information etc.<\/em><\/p>\n
In view of this, you are advised that please do not install this application and keep yourself safe from such fraudsters.<\/em><\/p>\n
Always download IRCTC\u2019s authorized \u2018IRCTC Rail Connect\u2019 mobile app from Google Play Store or Apple Store.<\/em><\/p>\n
Please note that IRCTC does not call its users\/customers for their PIN, OTP, Password, Credit\/Debit Card Details, Net Banking password or UPI details.<\/em><\/p>\n
\u00a0Warm Regards,<\/em>
\nIRCTC<\/em><\/p>\nQuick Heal Detection: <\/strong><\/h3>\n
Quick Heal is able to detect such malicious applications with variants of \u201cAndroid.SpyNote.GEN.”<\/strong><\/p>\n
Indicator of Compromises (IOCs):<\/strong><\/p>\n
45c154af52c65087161b8d87e212435a
\nc01566f5feb7244ed4805e2855ebdc400
\nc77435e6e77152d24e86eb75e1f04d75<\/p>\nIt is recommended that all mobile users should install a trusted Anti Virus like \u201cQuick Heal Mobile Security for Android\u201d<\/strong> to mitigate such threats and stay protected. Our antivirus software restricts users from downloading malicious applications on their mobile devices.<\/em><\/p>\n
CONCLUSION:<\/strong><\/h2>\n
As illustrated above, malware authors lure users by using icons of legitimate applications. These SpyNote applications can cause much harm to the infected devices. Users should be aware of such ongoing cyber scams and refrain from downloading and installing applications from untrusted sources.<\/em><\/p>\n
TIPS TO STAY SAFE:<\/strong><\/h3>\n
- \n
- Download applications only from trusted sources like Google Play Store.<\/li>\n
- Do not click on any links received through messages or any other social media platforms as they may be intentionally or inadvertently pointing to malicious sites.<\/li>\n
- Read the pop-up messages you get from the Android system before accepting or allowing any new permissions.<\/li>\n
- Be extremely cautious about what applications you download on your phone, as malware authors can easily spoof the original applications\u2019 names, icons, and developer details.<\/li>\n
- For enhanced protection of your phone, always use a good antivirus like Quick Heal Mobile Security for Android<\/a>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
In the world of cybercrime, the tactics used by threat actors are constantly evolving, but upon close analysis of multiple instances, the modus operandi remains the same –\u00a0 i.e. exploitation of current events, trending news, government websites, and even legitimate applications of trusted organizations to dupe unsuspecting users. By using the names and logos of […]<\/p>\n","protected":false},"author":76,"featured_media":91700,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,1653,285,1611,164],"tags":[1953,431,277,901,1362,1957,1566,23,80,1234],"class_list":["post-91691","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-antivirus","category-applications","category-banking-trojan","category-cyber-crime","tag-malwareattack","tag-android","tag-android-apps","tag-cyberattack","tag-cybercrime","tag-cyberthreat","tag-fakeapp","tag-fraudulent-email","tag-quick-heal","tag-quick-heal-android-apps"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91691"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/76"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=91691"}],"version-history":[{"count":11,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91691\/revisions"}],"predecessor-version":[{"id":91739,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91691\/revisions\/91739"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/91700"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=91691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=91691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=91691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}