Have you received an SMS with a link that says, “Register for vaccine using COVID-19 app”?
Well, beware! It’s fake – and probably riddled with malware.
The government of India started with the COVID-19 vaccination drive for everyone above 18, but consumers are facing problems in booking a slot due to a shortage in vaccines. In order to make the process user-friendly, several developers came up with notify-me websites that can tell you the availability of the slots, though you still need to use the official registration platform CoWIN API to complete the formalities.
In the middle of such a crisis, hackers are taking advantage of the situation with malicious elements. A fake SMS is in circulation tricking unsuspecting users for vaccine registration via an app. The SMS primarily is a malicious link filled with Android Worm that reaches users via message app, asking to register with the ‘Vaccine Registration’ app. Once the user downloads the app, it requests permission to access all the contacts and messages. The worm then uses the contacts listed in the infected Android device to spread to other devices via text messages.
Fig.1: Malicious web page
The above webpage Fig. 1 shows how hackers misguide users to download an app for the vaccination registration for the 18+ age groups. But in reality, it downloads a malicious APK after clicking on the “Download Now” button. The malicious APK is hosted on the GitHub account, and we got few similar apps with different app name in them. You can find the GitHub account link here. On monitoring this campaign, we got some other GitHub accounts, which also host similar APKs as shown in Fig.2 and Fig.3.
Fig2: GitHub account projectpro1 with malicious APK
Fig3: GitHub account mybestnews with malicious APK
On the first launch, the application takes few suspicious permissions like access contact, send and view SMS, make a call, etc. Fig. 4 shows permissions which it asks for the Fake vaccine registration application.
Fig 4 Fake vaccine registration app.
The malware App does some checks shown in Fig. 5 like, Emulator, ADB enabled or not, debugger check. It also collects information on all installed applications on the infected device.
Fig 5: ADB and Debugger check
First, it asks for the mobile number for the registration purpose. But on clicking the register now button, it only checks the length of the entered mobile number. If it is not greater than equal to 4 characters (as shown in Fig. 6) or if it is less than 4 characters, it displays a message “Please Enter your Correct Number!!”
Fig 6: Mobile number check
Spreading through SMS:
The malware collects contact information from the infected device.
Fig 7: Collecting contacts
Malware targets only Jio operators and spreads to contacts who are using Jio sim card. To identify the Jio user, the malware checks the first 4 characters of the mobile number with the list of number that Jio serves. Secondly, it queries a public web API of Jio and checks the response. Below fig. 8 shows the checking of Jio numbers.
Fig 8: Checking the first 4 characters of the number.
Fig 9: checking the response from Web API
The unidentified numbers are checked by querying a public web API of Jio as shown in Fig.9. In response, it checks for the string NOT_SUBSCRIBED_USER. And if the response contains a mobile number, then it is considered as a Jio number. After identifying the Jio number, it collects it in a separate list and starts sending SMS using the default sim operator as shown in Fig. 10.
Fig 10: Sending SMS
Spreading through WhatsApp:
The malware does not automatically spread through WhatsApp. It gives a dialogue box of “Share this APP on WhatsApp groups 10 Times to Start Registration” shows in Fig 11.
Fig 11: Malware spreading through WhatsApp
On clicking the button “Share on WhatsApp”, the malware copies the message to the clipboard. The malware does not validate whether the message is shared on WhatsApp or not. It only counts the number of clicks on the “Share on WhatsApp”. Fig 12 and Fig. 13 shows the WhatsApp sharing code.
The message shared on the WhatsApp groups:
Register for Vaccine Now*\n*from age 18+*\n\n*No Fees will be taken.*\n*It’s absolutely Free.*\n\n*Download VacciRegis android app*\n*and Register for vaccine*\n*in India*\n\n*Link:* http[:]//tiny.cc/COVID-VACCINE
Fig 12: Spreading through WhatsApp
Fig 13: Completion of message sharing on WhatsApp
The main goal of the app is to generate revenue by displaying ads and spreading itself through the victim’s contact list and through SMS. At Quick Heal, we have collected multiple variants of this malicious App and all are detected with the name “Android.GoodNews.GEN41898”. All these malicious applications are signed with the same digital certificate, which means the malware is written by a single malware author.