Watch out for Android SMS worm that hides in fake Jio data offers

The fake Jio message is linked to a shared Android Package file which when executed, generates ad revenue, gains access to contacts.

Share this Intel:

A fake “Free 25 GB Jio data” offer has been making the rounds recently. The link in the SMS: http[:]//tiny.cc/Jio-4G expands to a shared Android Package (APK) file over public.boxcloud.com. The APK has 10 activities, 3 services and 1 receiver, in total.

 

Jio offer

When a victim clicks on the link, the app requests the following permissions during the installation:

  • android.permission.READ_PHONE_STATE: Allows the app to access the victim’s phone state, including the phone number, cellular network information, status of ongoing calls, and a list of any PhoneAccounts registered on the device.
  • android.permission.ACCESS_FINE_LOCATION: Allows the app to access precise location.
  • android.permission.ACCESS_COARSE_LOCATION: Allows the app to access approximate location.
  • android.permission.FOREGROUND_SERVICE: Allows the app to use Service.startForeground. 
  • android.permission.READ_CONTACTS: Allows an app to read the victim’s phone contacts data. 
  • android.permission.SEND_SMS: Allows the app to send SMS messages
  • android.permission.ACCESS_WIFI_STATE: Allows the app to access information about Wi-Fi networks.
  • android.permission.ACCESS_NETWORK_STATE: Allows the app to access information about networks.
  • android.permission.RECEIVE_BOOT_COMPLETED: Allows the app to receive the Intent.ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.
  • com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE: Allows the app to tell if their installation was launched from an ad in Privacy Browser Free.

These permissions allow the app to access the victim’s phone contacts. Once the app has access, it sends the same “Free 25 GB Jio Data offer” SMS to selected contacts who have Jio numbers. 

Jio fake message

The worm uses a POST request to the jio.com recharge endpoint, to determine if the number is a Jio number or not. Only if it is a Jio number, the above message is sent.

Code to determine if the number belongs to Jio:

identify Jio numbers

The message is not sent to all the contacts at once. Instead, using a random integer, the app schedules the messages by adding an arbitrary delay. All this is done without notifying the victim. 

Code to send the message at random intervals:

set random intervals

The worm uses this method of propagating itself, and thus the message, to generate advertising revenue. Since the app has multiple accounts for StartAppSDK, depending on when the app is opened, it initializes one of the accounts, and instructs the victim to click the ad, thus generating revenue. 

Many variants of the same scam have been observed in the past. One such Android worm was found to have 62 different predefined text messages, with links pointing to the Android app. In this case, when a victim clicks on the link, the app gets installed, and then collects their phone number. Then, the user is asked to share the message via whatsapp, with 10 people, to avail the offer. Once the victim has sent the message to 10 people, they receive a notification saying they can now avail the offer. In this way the Android worms are able to generate ad-based revenue. 

 

Example of another offer that uses Jio-Fiber registration to spread Android worms and generate ad revenue. 

Another Jio scam

Indicators of compromise:

MD5: 000df3a5253be8cec6c7a4b739b75885
SHA1: 8060757caeca9b4f4260d58f335b990ea59340f0
SHA256: fbea91e1673e13e5bc7c1b8a7a98ab5154a8dc21d572ffb479f9c1cbe827112b

Be informed about these Threats in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about these threats first in your inbox.