No one had expected a new chapter to the current life devouring pandemic. People crawled from one situation to another, and so did the malware trend. Several apps were developed in different countries and states for easy management and tracking of COVID-19 cases. At Quick Heal Security Labs, we have been tracking such applications to identify malware-laced apps misusing the official apps meant to ease the lives of people and authorities.
As mentioned in our previous blog, various Arogya Setu apps were found malicious. Malware authors make use of apps that are already launched and keep sneaking on current statements made by authorities regarding apps that will use for vaccination registration. A similar app was found and mentioned in the earlier blog regarding the co-win app. A new malicious application serving the same purpose has come to light, along with another app that was meant to check a person’s oxygen saturation level.
Two similar apps imitating legitimate oximeter and vaccine registration app are found, as mentioned in Karnataka DGP’s tweet last week. Fake oximeter apps were found that took user’s fingerprint data for Google Pay, PhonePe, Paytm, etc. This app is cut from the same cloth. It asks for contacts and SMS permission which seems unnecessary for an app that would check oxygen saturation level. It accesses contacts and sends a link to every contact in the system via SMS and WhatsApp message, which is hosted on some mega account which on download turns out to be a banking trojan-banker.
Malware authors are evolving with their techniques every day. One of the essential things in malware’s success is distribution. For Android users, Google Play Store is the most sought-after market to get free and paid apps, and that is where the effective target lies. Malware authors apply different tricks to bypass Google Play Store restrictions. Some of the tricks used to publish apps and distribute via specific other means are:
Fig.1 Asking contacts and send SMS permission
onCreate method requesting for permissions and calling the method “sendO2toContacts” which is the malicious method that carries out the further activity.
Fig.2 Calling method sendO2toContacts
sendO2toContacts calls a method “getAllContacts” that collects every contact number from the system. It then gets a link for SMS and WhatsApp and iterates over an array of contacts and calls the methods that send those links via SMS and WhatsApp.
Fig.3 Driver function for malicious activity
sendO2ViaSMS function return a decoded bas64 hash that decodes to “hxxps://mega[.]nz/file/Zhh0RSJQ#81GUF7ruoEv9itdyh_kswLlBYWoAe0TwMLt4MTM9V4g”
Fig.4 Malicious link
Visiting this link takes us to the mega[.]nz page that has an APK file ready to be downloaded.
Fig.5 Banker trojan
Though we can see the name of the app is Oxygen Saturation Checker.apk it actually is a “pamdemicdestek.apk” file and is detected by Quick Heal by the name Android.Anubis.GEN30551.
Fig. 6 Returning formatted WhatsApp API link
SendViaSMS function receives the number and the message to be sent to every contact in the system.
Fig.7 sending SMS link
Similarly, send via WhatsApp method gets the crafted WhatsApp API message and starts the activity.
Fig. 8 Sending trojan link via WhatsApp