Category: Malware Intelligence | Industry: BFSI | Region: India | Source*: A2 |
Executive Summary
CloudSEK’s Customer Threat Research Team discovered a malware sample in the wild (ITW) that targeted the customers of Indian Banks.
Analysis: Analyzing the APK’s using CloudSEK’s security search engine for mobile applications BeVigil we discovered source code, inner functionality of malware, permissions used and URL endpoints to which malware was communicating. |
Delivery: The malware was delivered upon submitting a form that requested information such as Name, Mobile Number and Email Address. |
What’s Exfiltrated? Analyzing the APK file we discovered the malware is capable of stealing Credit/Debit Card information, net banking passwords and SMS to read/submit One Time generated passwords on the victim's behalf. |
Note: We believe it is an ongoing activity since multiple samples targeting prominent banks from India were discovered in the last 3 months.
Information from Technical Analysis
The malicious app is tricking the victims into giving up their Card details and netbanking passwords by luring them using financial rewards.
The malicious app is using the official logo of Indian banks to trick victims into believing that the app is legitimate , which can be used to redeem reward points.
Device Permissions
The app requires a number of permissions while being installed on an android device. Many of these permissions are classified in the dangerous permissions category.
These dangerous permissions include permission to read the device call logs, read contacts, read SMS, receive SMS, get and authenticate accounts.
These permissions allow the malware to steal sensitive information from the victim’s device, read and receive SMS, get information about the accounts being used on the device, use these accounts for authentication and even create new accounts.
Persistence Mechanism
The app uses intent filters with high priority to know about the device reboot to maintain persistence.
The high priority-999 allows the malware to know about the boot change as soon as there is any change. This allows the malware to restart its broadcast receiver to receive any kinds of broadcasts sent across the system by the device OS or other apps.
Data Exfiltration
The source code to the APK is present at https://bevigil.com/src/in.kotak.rewards/source%2Fsources%2Fin%2Fkotak%2Frewards%2FAutoStartService.java
The malware is exfiltrating all the SMS and Call logs from the Victims device to its C2 server.
It is important to note that all the exfiltrated data is being encrypted before sending it to the C2 server.
Encryption Key used for Encryption
Command & Control
Based on the static code analysis of the malware, we can say that the malware is not just stealing data but could also be used to execute commands sent by the Threat Actor.
These commands can be sent by the attacker to the victim device to make the malware perform certain actions like uploading SMS, call logs to the C2 and even putting the device on Silent Mode.
As the malware takes the audio manager permission during install, putting the victim on silent mode is done just before the Threat Actor tries to use the victim’s credit card to make any purchase or transaction to make the victim not notice the OTP of transaction related SMS.
Once the SMS has been uploaded to the C2, the malware can also delete the SMS, so that the victims can not find the SMS whenever they check their phones.
IOCs
Indicator Type | Indicator |
FileHash-SHA256 | f85199a4960e5e1c4bd7843e767a632e5e41454baffe5056a93c2895682f82f6 |
FileHash-SHA256 | 007962b4a6813c099e0f682f2b6691427251dee74c7bf949b901ec0f757eace6 |
FileHash-SHA256 | 7e90de4066c81234c54545c2d28071f2c9803e4852d3e9177bd40535fc0698ba |
FileHash-SHA256 | b9c0f27faecae624455615b90e31169fe2a4a189da36a0ac47c39ad830ba39be |
FileHash-SHA256 | a054d73ae44caf9a8cadaa50e129bf2d6ecd66a89794e13ccfc68b3b8cdd04f6 |
FileHash-SHA256 | f8677fbacd926fca9fb55239d9491573341c1546cd2ec59e5acc49d43bcf1586 |
FileHash-SHA256 | e03b9badfdd85992c8c9f79e25d5975d08b550206f7beb561c5983b3ff1f36b8 |
FileHash-SHA256 | 642ef960b21d719de2adeecfcd4b16ad6cef9e120ebc24c309e0788317970521 |
Domain | bank-app1121[.]herokuapp[.]com |
Domain | email-verify99[.]herokuapp[.]com |
Domain | testdata112[.]orgfree[.]com |
Domain | testchat8564[.]herokuapp[.]com |
Domain | datasmsalluser[.]in |
Domain | server5569[.]herokuapp[.]com |