Are you sure you have the right Aarogya Setu App on your phone?

The Government of India launched a mobile application called Aarogya Setu for easy contact tracing of people during the Covid-19 pandemic. It has a record-breaking number of downloads in a very short span of time on Google Play Store. As per government stats, it has more than 10 crore registered users and the number is growing everyday.

Riding on this wave, malware authors are misusing the name ‘Aarogya Setu’ to plant malicious apps into the end users’ phone. We collected many applications from various sources that impersonate the original Aarogya Setu App. While analyzing these applications, we found some malicious applications that looked exactly like the official app. All the samples that we have are modified versions of previously found malware with few minor changes done to give a look similar to the Aarogya Setu App.

Here is a comparative analysis of a few of these malicious lookalike apps:

Aarogya setu spyware apps:

All of these samples use Spynote RAT.

Spynote:

Spynote is a RAT (Remote Administration tool), which allows malware authors to take complete takeover of an infected device. It has different versions that has evolved over time and provides different features for spying on infected devices. These features mainly include stealing SMS messages, contact details etc. Spynote has its own site – spynote[.]us. The domain is seized by FBI recently.

         fig.1 Seized Spynote domain

Here is a comparison of the old malware APK and the recent Aarogya Setu Fake application,

Old Malware sample IOC : 7ab951806650fb865436f03dedc0555b

Aarogya Setu Fake sample IOC : df5698d5aef850b217cbbfa9789bd347

Both these apps carry legitimate application in its “res/raw” directory named as “google.apk”. These files are of applications which they want to make as a target. For this Aarogya Setu Fake app it is an apk file of Official Aarogya Setu app. At the time of launch, the malware installs this legitimate application and hides itself. After that it starts its malicious activity silently in the background.

fig.2 (a) is code snippet of message stealing code from implemented onReceive method of the BroadcastReceiver class C10. In this method malware takes message text and assigns it to variable from C11 service. This service in these applications is responsible for their malicious activity. These two apps have similar code.

  fig.2(a)  Aarogya Setu Fake app code accessing SMS text

As the fake Aarogya Setu app is targeting the official Aarogya Setu application, malware authors have done changes accordingly. They have added Aarogya Setu icon in ic_launcher. To set the name of application as Aarogya Setu, they have changed the value of android:label in AndroidManifest.xml and as per that value is changed in res->values->string.xml. See in fig.2(b).

 fig.2(b) Icon comparison

IoC’s ( Apps which impersonate Aarogya setu app and/or use similar package name or same icon or both) –

df5698d5aef850b217cbbfa9789bd347

bbe84ba545d652d9e06635a6e89d48b5

ecaeb619b1226a5e22caed93478fc0ba

5ab7bbba0de6d8a74782f107e7a37cc1

e5e44ac40123023eebd5caf9662f05d1

Bfa19e91bb4b25d34ac10ad7b9fc5df2

Aarogya Setu patched with Metasploit:

We came across one application which is a patched version of the official Aarogya Setu application version 1.04. The app is created by patching the official app with package name “xrcpryfabq.peotrafpop”. This package contains Metasploit code.

What is Metasploit? – Metasploit is an exploitation framework used for penetration testing. It contains many exploits and payloads. Here this Metasploit has Trojan downloader code. Malware authors just added one line of the code to start activity from Metasploit code without changing the remaining code of the official app.

Fig.3(a) shows that one line added code nwvrhdtun.start() in Oncreate method of application class to start Metasploit activity , Fig.3(b) shows added Metasploit package xrcpryfabq.peotrafpop.

Below fig.3(c) shows package from Metasploit payload, which is created using “msfvenom” command. Same package is patched in the official Aarogya Setu application to convert this into a malicious application.

fig.3(c)

Malicious App IoC: 2b67566ecdb6fb9fb625508cc0bafa97

Android Trojan dropper malware uses fame of Aarogya Setu:-

We got some malicious samples that use the same package name as Aarogya Setu’s i.e.”nic.goi.aarogyasetu”. All these samples are trojan dropper malware. The code used is similar to the code used in the infected CamScanner application that surfaced last year.

These samples contain encrypted “mutter.zip” file in its asset directory. There is a class named as “Duration” which has a code to decrypt this mutter.zip file. This mutter.zip file contains malicious code for downloading malware files.

Fortunately, these fake Aarogya Setu applications will not get installed on users device, as one of the attribute of application tag in manifest file “android:testOnly” is set to true and these apps are not properly signed. Looks like these malwares are in development phase but in future malware authors may come up with improved versions of these.

Below IOC’s are of malicious samples which have similar package name as of Aarogya Setu application:

05d3004cab3626c2d09a45ed5ca9b3fd

0ab6b90d044ba4ca847849617769d563

1627d6bc5b521e20e0a6eb107b6b8102

3f06bc51873f08e89d968546da8264ab

52bb57bbc86d9d3b2125a50efc1f2594

Spreading vectors:

These applications are not available on Google Play Store, but still malware authors are trying to promote these to unsuspecting users by various ways. How they can do this? This section tries to answer this question.

1] YouTube and other social media comments:

While searching for Aarogya Setu related videos on YouTube, we came across one video on “how to download Aarogya Setu app”. This video is uploaded one month back but still is an example of spreading vector.

In the comment section of this video one person commented a link saying that this is an alternate link to download the Aarogya Setu app. This link opens a page with option to generate link, after clicking on that it redirects to different page each time. In this process, it downloads an apk with name “setting.apk” [IOC: da4eca06258b72341abe469c3d022d81] and this is nothing but a trojan dropper app.

 fig.4 YouTube comment promoting malicious App

2] WhatsApp and other social media messages:

You may have seen messages offering free data, free subscriptions with some link mentioned. These types of messages are generally used for spreading such malwares. Please check this blog – Beware of scams during this crucial time of CoronaVirus pandemic for more information.

Quick heal mobile security detects all the samples mentioned above.

Tips to stay safe

• Download Applications only from trusted sources like Google Play Store.
• Do not click on alien links received through messages or any other social media platforms.
• Turn off installation from unknown source option.
• Check installed application list time to time.
• Read the pop-up messages you get from Android system before Accepting/Allowing any new permissions.
• Use a trusted anti-virus like Quick Heal Mobile Security to stay safe from android malwares.

Stay Safe Stay Home!!!