In the world of cybercrime, the tactics used by threat actors are constantly evolving, but upon close analysis of multiple instances, the modus operandi remains the same – i.e. exploitation of current events, trending news, government websites, and even legitimate applications of trusted organizations to dupe unsuspecting users.
By using the names and logos of trusted applications, scammers can easily lure people into downloading and installing malicious fake apps on their devices.
As cyber criminals are getting more creative and sophisticated in their social engineering techniques, it’s crucial for individuals and businesses to stay vigilant, and be aware of these potential threats. Not only that, it is also important to protect ourselves and our devices from these threat agents who are continuously looking for new avenues to target their victims and collect sensitive information for their own malicious purposes.
At Quick Heal Security Labs we actively monitor Cybersecurity news and other forums so that we stay abreast of the latest trends and threats. The intent is to ensure the complete digital safety & security of our customers. This is why we have taken our time to go through the recent advisory published by the Indian Railway Catering and Tourism Corporation (IRCTC), about the IRCTC fake apps. Read on to understand more about the Fake Application menace as we analyze the threat in detail.
The Fake IRCTC app portrays itself as the legitimate IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.
This fake app Spyware is able to perform the following actions:
Fig 01. Fake App in the name of IRCTC.
When we click on the application icon to launch, it continuously shows us this screen, as given below.
Fig 02. Continuously shows this screen.
The fake app then tries to obtain the following permissions on a mobile device:-
Fig 03. Fake app trying to get permissions on the infected device
Behind the scenes, this malware performs a number of malicious activities simultaneously, like stealing location and installed application data
Fig 04. Taking Installed Applications Information.
Fig 05. Taking Location Information
One of the features of this spyware is the ability to steal Facebook credentials:-
Fig 06. Social Media Credentials Stealing.
It has been reported that a malicious Android application (irctcconnect.apk) hosted on a phishing website (https://irctc.creditmobile.site) is being circulated over instant messaging platforms e.g., WhatsApp, Telegram, etc.
This android app (APK file) is malicious and infects the mobile device. These fraudsters are sending phishing links at mass level and insisting users to download this android application, impersonating IRCTC officials to trick victims into revealing their sensitive net banking credentials like UPI details, credit/debit card information etc.
In view of this, you are advised that please do not install this application and keep yourself safe from such fraudsters.
Always download IRCTC’s authorized ‘IRCTC Rail Connect’ mobile app from Google Play Store or Apple Store.
Please note that IRCTC does not call its users/customers for their PIN, OTP, Password, Credit/Debit Card Details, Net Banking password or UPI details.
Quick Heal is able to detect such malicious applications with variants of “Android.SpyNote.GEN.”
Indicator of Compromises (IOCs):
It is recommended that all mobile users should install a trusted Anti Virus like “Quick Heal Mobile Security for Android” to mitigate such threats and stay protected. Our antivirus software restricts users from downloading malicious applications on their mobile devices.
As illustrated above, malware authors lure users by using icons of legitimate applications. These SpyNote applications can cause much harm to the infected devices. Users should be aware of such ongoing cyber scams and refrain from downloading and installing applications from untrusted sources.