As an unsuspecting smartphone user, you could be unknowingly inviting deceptive pop-up apps, and risking your device’s privacy and financial security. In this blog, we’ll be answering all the above questions and also breaking down a ‘pop-up ad’ to reveal how it works. Plus, we’ll share important safety tips so that you can keep your devices protected from these malicious apps.
Our daily reliance on smartphone apps can lead to hidden dangers. A tempting ad pop-up, urging you to download it, with the promise of revealing secrets can often hide a serious threat.
Most of the time, such deceitful apps, posing as something useful, can find entry into your device without your knowledge. Disguised as authentic app icons, it can steal private SMS messages and more. This stolen data can be misused to create fake social media accounts, putting your privacy and your financial security at grave risk. Situations can worsen if stolen SMS data contains sensitive financial information like bank verifications and login credentials. In the wrong hands, this can lead to unauthorized access and identity theft, causing great harm to your finances.
Recently, we encountered a website that displayed pop-up advertisements. A website pop-up appears on its own as a window on the website interface, without any intentional action from the user. Generally, these pop-ups are used to show advertisements.Among these ads was one promoting an “xxx Scanner,” illustrated below.
After clicking this advertisement, it redirected to another website, opening in a separate window. This new site displayed adult images and presented itself as “Thermal 18+.” It showcased the app’s name, icon, and offered an option to update the application. The site aimed to convince users that the earlier pop-up ad for the xxx Scanner app was outdated, and a new version was available.
The image in the figure displayed a text stating: “You have downloaded the old version, update the Thermal camera.” Upon clicking the “update APK” button on this site, the user inadvertently downloaded an app named “Thermal Cam Scanner 6.” (refer Figure 2)
We examined an app obtained from the website.
Application running flow is shown in Figure 3.
Once the threat actor obtains all necessary permissions, they can create multiple accounts on social media and websites using the victim’s phone number. The malware then by utilizing SMS access, easily retrieves One-Time Passwords (OTPs) sent by these platforms. This enables the threat actor to replicate the victim’s social media accounts and access personal data. Figure 4 displays an OTP received on our phone number upon executing the application.
In addition to the mentioned risks, the app can hide its icon, making it challenging for victims to find and uninstall. It also gathers SIM-related details, potentially accessing information linked to the mobile network provider.
The application presents a significant threat to both the privacy and financial security of individuals. By accessing victims’ SMS messages, it creates proxy accounts on social media, where sensitive financial information is often shared. With this data, threat actors can easily cause substantial financial harm.
As mentioned earlier, the pop-up ad for scanner app. redirect the user to another site. The URL of the newly opened site, in the new window of browser is:
We checked for details about “kuklav.com,” and found that this website was recently created in September 2023. Interestingly, its registration is set to expire on 5th September 2024, indicating a relatively short-term registration period, which can be considered unusual as domain registrations commonly span longer durations. (Refer Fig: 5)
Key Observation points about traffic directed to this site (refer Figure 4)-
Consequently, it’s apparent that this campaign primarily targets mobile users from countries like India, Egypt, Iraq, Brazil, and others.
Additionally, during our investigation, we found GitHub account under the username “Hubasd.” This account hosted similar APK files to the previously mentioned thermal scanner apps. The repository contains files with the name – “Thermal-S7.apk” and “Thermal-S6.apk.”
As we have seen earlier, this application was asking to be set as the default SMS application. If the application is set as default SMS app, it gains the ability to register a broadcast receiver, enabling it to intercept system notifications associated with SMS messages. Figure 7 shows the code for the broadcast receiver. This code runs whenever the malware app receives a broadcast about SMS notifications. In this code, the malware quickly retrieves incoming SMS data and sends it to the Command and Control (C2) center.
Furthermore, the app has code allowing it to access the device’s location during runtime. Please refer to figure 8 illustrating the code snippet extracted from the application.
Quick Heal detects such malicious applications with variants of “Android.Agent.DCe5a1.”
It is recommended that all mobile users should install a trusted Anti-Virus like “Quick Heal Mobile Security for Android” to mitigate such threats and stay protected. Our antivirus software restricts users from downloading malicious applications on their mobile devices. Download your Android protection here
In the world of cyber threats, attackers use various techniques to get into our devices, because of which innocent users become victims of personal and financial risk. One such tactic takes advantage of our browsing habits, where we unknowingly click on links and apps that promise unrealistic benefits in areas like dating, gaming, or gambling. These apps may seem harmless at first but downloading them could seriously compromise privacy and financial security. While not every case leads to harm, it’s always a good idea to stay cautious.
Don’t wait! Secure your smartphones today with Quick Heal Total Security for Mobiles & Smartphones – Buy or Renew Today!
Co-author: Akshay Singla