A fake “Free 25 GB Jio data” offer has been making the rounds recently. The link in the SMS: http[:]//tiny.cc/Jio-4G expands to a shared Android Package (APK) file over public.boxcloud.com. The APK has 10 activities, 3 services and 1 receiver, in total.   When a victim clicks on the link, the app requests the following permissions during the installation:

• android.permission.READ_PHONE_STATE: Allows the app to access the victim’s phone state, including the phone number, cellular network information, status of ongoing calls, and a list of any PhoneAccounts registered on the device.
• android.permission.ACCESS_FINE_LOCATION: Allows the app to access precise location.
• android.permission.ACCESS_COARSE_LOCATION: Allows the app to access approximate location.
• android.permission.FOREGROUND_SERVICE: Allows the app to use Service.startForeground.
• android.permission.READ_CONTACTS: Allows an app to read the victim’s phone contacts data.
• android.permission.SEND_SMS: Allows the app to send SMS messages
• android.permission.ACCESS_WIFI_STATE: Allows the app to access information about Wi-Fi networks.
• android.permission.ACCESS_NETWORK_STATE: Allows the app to access information about networks.
• android.permission.RECEIVE_BOOT_COMPLETED: Allows the app to receive the Intent.ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.
• com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE: Allows the app to tell if their installation was launched from an ad in Privacy Browser Free.

These permissions allow the app to access the victim’s phone contacts. Once the app has access, it sends the same “Free 25 GB Jio Data offer” SMS to selected contacts who have Jio numbers. The worm uses a POST request to the jio.com recharge endpoint, to determine if the number is a Jio number or not. Only if it is a Jio number, the above message is sent. Code to determine if the number belongs to Jio: The message is not sent to all the contacts at once. Instead, using a random integer, the app schedules the messages by adding an arbitrary delay. All this is done without notifying the victim. Code to send the message at random intervals: The worm uses this method of propagating itself, and thus the message, to generate advertising revenue. Since the app has multiple accounts for StartAppSDK, depending on when the app is opened, it initializes one of the accounts, and instructs the victim to click the ad, thus generating revenue. Many variants of the same scam have been observed in the past. One such Android worm was found to have 62 different predefined text messages, with links pointing to the Android app. In this case, when a victim clicks on the link, the app gets installed, and then collects their phone number. Then, the user is asked to share the message via whatsapp, with 10 people, to avail the offer. Once the victim has sent the message to 10 people, they receive a notification saying they can now avail the offer. In this way the Android worms are able to generate ad-based revenue.   Example of another offer that uses Jio-Fiber registration to spread Android worms and generate ad revenue.

Indicators of compromise:

MD5: 000df3a5253be8cec6c7a4b739b75885 SHA1: 8060757caeca9b4f4260d58f335b990ea59340f0 SHA256: fbea91e1673e13e5bc7c1b8a7a98ab5154a8dc21d572ffb479f9c1cbe827112b