{"id":92539,"date":"2024-03-20T19:42:00","date_gmt":"2024-03-20T14:12:00","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=92539"},"modified":"2026-01-16T11:45:12","modified_gmt":"2026-01-16T06:15:12","slug":"beware-malicious-android-malware-disguised-as-government-alerts","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/beware-malicious-android-malware-disguised-as-government-alerts\/","title":{"rendered":"Beware: Malicious Android Malware Disguised as Government Alerts"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"92539\" class=\"elementor elementor-92539\">\n\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-71264870 e-flex e-con-boxed e-con e-parent\" data-id=\"71264870\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-48a225ce elementor-widget elementor-widget-text-editor\" data-id=\"48a225ce\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.16.0 - 17-10-2023 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<p>In our high-tech world, sneaky cyber threats can pop up anywhere. Lately, we&#8217;ve spotted sneaky malware on Android phones spreading through fake WhatsApp messages. These messages pretend to be from the government, but they&#8217;re hiding something nasty inside.<\/p>\n<p>Cybercriminals have cleverly utilized the notification system of the government&#8217;s traffic department to spread their malicious software. We&#8217;ve encountered several instances of these deceptive messages purportedly sent from authorities like the Pimpri-Chinchwad Traffic Police and Chandigarh Traffic Police. These messages claim that the recipient has received a traffic ticket for breaking the rules. To make the messages seem authentic, they even include specific details such as the ticket number and the vehicle&#8217;s registration information. Additionally, they have incorporated the official logos of the Maharashtra Motor Vehicle Department and Chandigarh Administration as their profile pictures to further establish an air of authenticity.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92540 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/1-2-300x203.jpg\" alt=\"\" width=\"513\" height=\"347\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/1-2-300x203.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/1-2-577x390.jpg 577w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/1-2-768x519.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/1-2-789x534.jpg 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/1-2-150x101.jpg 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/1-2.jpg 964w\" sizes=\"(max-width: 513px) 100vw, 513px\" \/><\/p>\n<p style=\"text-align: center;\"><span class=\"TextRun SCXW121937902 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW121937902 BCX0\">Figure 1. WhatsApp message received by Victim<\/span><\/span><\/p>\n<p>Within these messages, there&#8217;s typically a request for the recipient to download an application called &#8220;Vahan Parivahan.&#8221; This application supposedly serves to confirm the recipient&#8217;s identity and provide evidence related to the alleged violation. Figure 1 shows WhatsApp messages received by victims. However, unbeknownst to the recipients, the linked APK file contains malicious software designed to steal information from Android devices. This info-stealer malware is engineered to infiltrate devices discreetly and compromise sensitive data without the user&#8217;s awareness. The malware engages in billing fraud by sending messages to specific phone numbers. In Figure 2, the attack flow of this malware campaign is depicted.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92541 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/2-2-300x190.jpg\" alt=\"\" width=\"625\" height=\"396\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/2-2-300x190.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/2-2-616x390.jpg 616w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/2-2-768x487.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/2-2-1536x973.jpg 1536w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/2-2-789x500.jpg 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/2-2-150x95.jpg 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/2-2.jpg 1594w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 2. Attack flow<\/p>\n<p>We examined one of the apps (please refer figure 3), upon launching the application,<\/p>\n<ul>\n<li>It initiates a request for various permissions. These permissions encompass the ability to send and receive SMS messages, manage phone calls, and access the device&#8217;s contact list.<\/li>\n<li>Furthermore, the application seeks authorization to act as the default SMS application for system notifications and receivers, thereby assuming control over messaging functionalities.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92542 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/3-2-300x124.jpg\" alt=\"\" width=\"572\" height=\"236\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/3-2-300x124.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/3-2-650x268.jpg 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/3-2-768x317.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/3-2-789x326.jpg 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/3-2-150x62.jpg 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/3-2.jpg 1041w\" sizes=\"(max-width: 572px) 100vw, 572px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 3. Permissions asked by app<\/p>\n<p>Once the malware application gets permission, it hides its icon, so users won&#8217;t notice it. Then, secretly, it starts gathering sensitive information from the device, like contacts, text messages, and details about the device and SIM card. After that, it retrieves phone numbers and messages from a server database and sends those messages as text messages without the user knowing. At the same time, it sends the collected data to a Telegram bot using the Telegram API.<\/p>\n<p><strong>Technical Working of the malware application:<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92543 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/4-2-300x153.jpg\" alt=\"\" width=\"377\" height=\"192\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/4-2-300x153.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/4-2-150x76.jpg 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/4-2.jpg 401w\" sizes=\"(max-width: 377px) 100vw, 377px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 4. Application icons<\/p>\n<p>Application name: VAHAN PARIVAHAN<\/p>\n<p>Package Name: shd.ske<\/p>\n<p>MD5 hash: a5765ba70f06b2be056dc3df6270de32<\/p>\n<p>Dangerous permission:<\/p>\n<ul>\n<li>android.permission.SEND_SMS<\/li>\n<li>android.permission.READ_PHONE_STATE<\/li>\n<li>android.permission.RECEIVE_SMS<\/li>\n<li>android.permission.READ_CONTACTS<\/li>\n<\/ul>\n<p><strong><span class=\"ui-provider ed bbq azm bbr bbs bbt bbu bbv bbw bbx bby bbz bca bcb bcc bcd bce bcf bcg bch bci bcj bck bcl bcm bcn bco bcp bcq bcr bcs bct bcu bcv bcw\" dir=\"ltr\">Extracting received SMS data &#8211;<br \/><\/span><\/strong><\/p>\n<p>This application requested permission to become the primary SMS application on the device. By becoming the default SMS app, it gains the capability to register a broadcast receiver, allowing it to intercept system notifications linked to SMS messages.<\/p>\n<p>In the code snippet presented in Figure 5, the onReceive method of the BroadcastReceiver class is depicted. Within this method, the malware checks if the broadcast is related to receiving an SMS. If it indeed is an SMS received broadcast, the malware extracts the sender information and the SMS body, forwarding them for additional processing.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92544 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/5-300x130.png\" alt=\"\" width=\"628\" height=\"272\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/5-300x130.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/5-650x281.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/5-768x332.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/5-789x341.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/5-150x65.png 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/5.png 1280w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 5. Code for onReceive method of BroadcastReceiver<\/p>\n<p><strong>Device and SIM Information Harvesting &#8211;<\/strong><\/p>\n<p>In Figure 6, the code snippet demonstrates the malware&#8217;s functionality to gather comprehensive device information, including the manufacturer, model number, Android OS version, and battery health status. Additionally, it accesses details about active subscriptions and retrieves information about each SIM card, such as the subscription ID, carrier name, and phone number. This process is initiated from the MainActivity of the application. Subsequently, the collected data is transferred to the subsequent function tasked with acquiring information about the device&#8217;s contact list.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92545 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/6-300x72.png\" alt=\"\" width=\"685\" height=\"164\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/6-300x72.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/6-650x157.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/6-768x185.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/6-1536x370.png 1536w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/6-789x190.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/6-150x36.png 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/6.png 1688w\" sizes=\"(max-width: 685px) 100vw, 685px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 6. Code which collects device and sim related info<\/p>\n<p><strong>Contact information gathering &#8211;<\/strong><\/p>\n<p>In Figure 7, the malware employs a Cursor object to query the device&#8217;s content resolver for contact information. It specifies certain columns from the ContactsContract.CommonDataKinds.Phone.CONTENT_URI, excluding contacts linked to a Google account. The outcome of this query comprises contact IDs, display names, phone numbers, and account types.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-92546 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/7-300x63.png\" alt=\"\" width=\"686\" height=\"144\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/7-300x63.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/7-650x137.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/7-768x162.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/7-1536x323.png 1536w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/7-789x166.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/7-150x32.png 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/7.png 1688w\" sizes=\"(max-width: 686px) 100vw, 686px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 7. Code to access contact information<\/p>\n<p><strong>Use of Telegram Bot API to send data &#8211;<\/strong><\/p>\n<p>Figure 8 code snippet shows code which sends a document (in this case, a text file named &#8220;Contacts.txt&#8221; which has collected contact information) to a specified Telegram chat using the Telegram Bot API.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92547 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/8-300x116.png\" alt=\"\" width=\"614\" height=\"237\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/8-300x116.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/8-650x251.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/8-768x297.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/8-1536x593.png 1536w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/8-789x305.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/8-150x58.png 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/8.png 1688w\" sizes=\"(max-width: 614px) 100vw, 614px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 8. Collected contact saved to file Contacts.txt and sent to telegram chat<\/p>\n<p>In Figure 9, the code is utilized to send gathered details regarding active subscriptions and retrieve information about each SIM card, including the subscription ID, carrier name, and phone number, using the Telegram API. This same code is also employed to send collected received SMS data.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92548 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/9-300x41.png\" alt=\"\" width=\"630\" height=\"86\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/9-300x41.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/9-650x88.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/9-768x104.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/9-1536x208.png 1536w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/9-789x107.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/9-150x20.png 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/9.png 1688w\" sizes=\"(max-width: 630px) 100vw, 630px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 9. code used to send device and sim information<\/p>\n<p><strong>Billing Fraud &#8211;<br \/><\/strong><\/p>\n<p>The malware orchestrates billing fraud by autonomously sending messages to phone numbers retrieved from a server database, all without the user&#8217;s awareness. Figure 10 illustrates the code, leveraging Firebase Real time Database to obtain phone numbers, message content, and timestamps. Utilizing this information, the malware executes the message transmission process.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92549 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/10-300x127.png\" alt=\"\" width=\"600\" height=\"254\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/10-300x127.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/10-650x275.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/10-768x324.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/10-1536x649.png 1536w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/10-789x333.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/10-150x63.png 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/10.png 1707w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 10. Code to get phone number and message body<\/p>\n<p>Figure 11 shows code to send SMS message &#8211;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92550 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/11-300x64.jpg\" alt=\"\" width=\"623\" height=\"133\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/11-300x64.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/11-650x138.jpg 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/11-768x163.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/11-789x168.jpg 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/11-150x32.jpg 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/11.jpg 1106w\" sizes=\"(max-width: 623px) 100vw, 623px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 11. Code to send SMS<\/p>\n<p><strong>MITRE ATT&amp;CK Tactics and Techniques:<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-92551 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/12-300x65.jpg\" alt=\"\" width=\"701\" height=\"152\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/12-300x65.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/12-650x142.jpg 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/12-768x167.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/12-789x172.jpg 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/12-150x33.jpg 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/12.jpg 1321w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>In summary, the use of fake government alerts for spreading malware is a serious concern for Android users. These scams trick people into downloading harmful apps by posing as official notifications. The attackers use convincing details and even mimic legitimate organizations to deceive victims. Once installed, such malware can infiltrate personal information, which can then be misused by cyber criminals. Additionally, these malicious apps can perform billing fraud without their consent simply by sending a message. To stay safe, it&#8217;s crucial for users to be cautious of unexpected messages and avoid downloading unfamiliar apps. By staying informed and taking proactive steps to protect their devices, individuals can better defend themselves against these deceptive cyber threats.<\/p>\n<p><b><span data-contrast=\"none\">Quick Heal Detection<\/span><\/b><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335557856&quot;:16777215,&quot;335559738&quot;:0,&quot;335559739&quot;:105,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Quick Heal detects such malicious applications with variants of Android.SMSthief.A<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">It is recommended that all mobile users should install a trusted Anti-Virus like \u201cQuick Heal Mobile Security for Android\u201d to mitigate such threats and stay protected. Our antivirus software restricts users from downloading malicious applications on their mobile devices. Download your Android protection <\/span><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform.advance.blue.market&amp;hl=en_IN\"><span data-contrast=\"none\">here<\/span><\/a><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"none\">IOCs:<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-92552 alignleft\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/03\/13-300x42.jpg\" alt=\"\" width=\"544\" height=\"76\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/13-300x42.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/13-650x91.jpg 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/13-768x107.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/13-789x110.jpg 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/13-150x21.jpg 150w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2024\/03\/13.jpg 895w\" sizes=\"(max-width: 544px) 100vw, 544px\" \/><\/p>\n<p><strong>Telegram Bot information:<\/strong><\/p>\n<p>Telegram Bot ID: 6915291812:AAEeu3kUcEshFc3LgD4x_9qw6bpKwwQy1tw<\/p>\n<p>Telegram Chat ID: 1002118750305<\/p>\n<p><strong>URLs:<\/strong><\/p>\n<p>https[:]\/\/hookuptolookup-default-rtdb[.]firebaseio.com\/-1002118750305\/&lt;message_thread_id&gt;.json<\/p>\n<p>(Firebase runtime DB used to obtain phone number and message body)<\/p>\n<p>https[:]\/\/api[.]telegram[.]org\/bot6915291812:AAEeu3kUcEshFc3LgD4x_9qw6bpKwwQy1tw\/sendDocument<\/p>\n<p>https[:]\/\/api[.]telegram.org\/bot6915291812:AAEeu3kUcEshFc3LgD4x_9qw6bpKwwQy1tw\/sendMessage?chat_id=1002118750305<\/p>\n<p>(URL where malware sends data)<\/p>\n<p><b><span data-contrast=\"none\">TIPS TO STAY DIGITALLY SAFE:\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335557856&quot;:16777215,&quot;335559738&quot;:0,&quot;335559739&quot;:105,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"none\">Download applications only from trusted sources like <\/span><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform&amp;hl=en_IN&amp;gl=US\"><span data-contrast=\"none\">Google Play Store.<\/span><\/a><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335557856&quot;:16777215,&quot;335559685&quot;:255,&quot;335559737&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"none\">Do not click on any links received through messages or any other social media platforms as they may be intentionally or inadvertently pointing to malicious sites.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335557856&quot;:16777215,&quot;335559685&quot;:255,&quot;335559737&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"none\">Read the pop-up messages you get from the Android system before accepting or\/allowing any new permissions.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335557856&quot;:16777215,&quot;335559685&quot;:255,&quot;335559737&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"none\">Be extremely cautious about what applications you download on your phone, as malware authors can easily spoof the original applications\u2019 names, icons, and developer details.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335557856&quot;:16777215,&quot;335559685&quot;:255,&quot;335559737&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"none\">For enhanced protection of your phone, always use a good antivirus like <\/span><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform.advance.blue.market\"><span data-contrast=\"none\">Quick Heal Mobile Security for Android.<\/span><\/a><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335557856&quot;:16777215,&quot;335559685&quot;:255,&quot;335559737&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"none\">Don\u2019t wait! <\/span><b><span data-contrast=\"none\">Secure your smartphones today with Quick Heal Total Security for Mobiles &amp; Smartphones \u2013 <\/span><\/b><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform.advance.blue.market\"><span data-contrast=\"none\">Buy or Renew Today!<\/span><\/a><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335557856&quot;:16777215,&quot;335559738&quot;:0,&quot;335559739&quot;:225,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<!-- wp:paragraph -->\n<p>\u00a0<\/p>\n<!-- \/wp:paragraph -->\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>In our high-tech world, sneaky cyber threats can pop up anywhere. Lately, we&#8217;ve spotted sneaky malware on Android phones spreading through fake WhatsApp messages. These messages pretend to be from the government, but they&#8217;re hiding something nasty inside. Cybercriminals have cleverly utilized the notification system of the government&#8217;s traffic department to spread their malicious software. [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":92590,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,24,354,1674,304,1513,1514],"tags":[1874,431,1821,2019,254],"class_list":["post-92539","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-malware","category-mobile-security-2","category-scam-alert","category-social-engineering-2","category-whatsapp","category-whatsapp-scam","tag-government","tag-android","tag-androidmalware","tag-vahanparivahan","tag-whatsapp"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/92539"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=92539"}],"version-history":[{"count":19,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/92539\/revisions"}],"predecessor-version":[{"id":92664,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/92539\/revisions\/92664"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/92590"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=92539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=92539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=92539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}