“Humans are the weakest link in cybersecurity.” Data breaches worldwide prove this accurate, as human errors, lack of awareness, ignorance, or negligence cause these breaches. Social engineering is the attack that exploits human behavior and human nature, and there are different ways to perform this attack. Attackers often manipulate and convince users with valid authority, intimidate users, build relationships with them or try to create a perception. Users fall prey and tend to believe the object is scarce, there is an urgency, and immediate action is required.
Vishing is social engineering attack and is a type of phishing attack. In this attack, the attacker uses psychological manipulation and calls the victim with the intent to steal information. They use this manipulation to trick victims into handing over sensitive information or performing some action on the attacker’s behalf. This attack is also called voice phishing.
Vishing has been actively used in the recent past, and many unsuspecting users have ended up becoming the target of such attacks. In one common method for such attacks, the attacker asks the victim to install a screen-sharing application like AnyDesk or TeamViewer from Google Play Store from which they make the crime. One of them recently observed was trending on Twitter. In this case, the attackers target users complaining about bad service on Twitter. In this campaign, various applications are used, as illustrated in the following example:
Fig. 1 Attack Flow
It has been observed that many people prefer to share their displeasure with a deficiency in service or product in online forums rather than contacting the official customer support channels. Typically, the thought behind publicizing their dissatisfaction on public platforms is to highlight their issues, force corrective action, and expedite the grievance resolution. Some users post their contact details, like email or phone numbers, in their tweets for faster action – anticipating that the right officials would contact them to address their concerns. However, the users tend to miss them because these tweets are posted in the public domain, and everyone – including the mal-intentioned folks can see their details.
Threat actors keep looking for such tweets. Most of the time, they get the contact details of the target from different social media accounts or by purchasing dumps from the dark web. They then call the user and try to convince them to download a contact support application presented as a tool to resolve their issue. They share the application via Email or WhatsApp as well. However, this application is an SMS Trojan that forwards incoming messages from the user’s mobile to the attacker’s number & this methodology is used for stealing the OTP.
As users tweet and share their contact details, they expect calls from “official” representatives. Attackers often take advantage of this situation in this campaign.
Our team observed some tweets complaining about the services of IRCTC, PhonePe, SBI Bank, PNB Bank, Mobikwik, Meesho, CRED, Airtel India, Flipkart, etc.
The following screenshots of such tweets illustrate the vishing attempts that have become prevalent in recent times:
Fig. 2 User Tweets
Some users have shared screenshots of WhatsApp messages in which the attacker sent the application to them via WhatsApp. File names used by these attackers for these applications are –
“Online Complaint.apk,” “PNB_Support.apk”, “Customer Support.apk,” etc.
Fig. 3 Screenshots of WhatsApp message sent by the attacker
The attacker uses official logos of popular banks like ICICI bank and Punjab National Bank, finance institutions like Mahindra Finance and Bajaj finance, and some courier delivery service providers like Blue Dart Express and JNI Express to deceive unsuspecting users.
Fig.4 Icons Used by Malicious application.
When this application is launched, it asks permission to send and receive messages. Once the users grant these permissions, it sends these messages to the attacker. The application also asks the user to enable auto-start in settings.
Fig. 5 Application asking for SMS permissions
Fig.6 shows the code used to access the SMS messages; depending on conditions, this data is sent to a constant phone number from the code or number obtained from shared preference.
Fig.6 SMS access and sent.
Fig. 7 shows the code used to delete the SMS data, showing that the messages were sent from the user’s mobile inbox to the attacker’s number. This effectively erases the track of this fraudulent activity.
Fig.7 Code to delete sent SMS data
In this campaign, voice calls, i.e., the vishing technique, propagate these applications. Earlier, our investigations revealed a phishing page asking for credit and debit card credentials and distributing such applications. It was a fake page of Patanjali Yog gram registration. The application dropped by this site was also an SMS stealer Trojan.
Fig. 8 Patanjali phishing page
Attackers use different means to reach users. For example, they share SMS or WhatsApp messages about electricity bill updates or bank wallet KYC updates and ask to call the phone number mentioned in their ASAP. They try to create a fake sense of urgency in the message, which is one of the principles of social engineering. Following figure # 9 shows examples of such messages: –
Fig. 9 messages shared by scammer about the electricity bill
Such applications are evolving, and attackers are adding new features in the latest versions to continue targeting users. Attackers are improvising day by day and using different techniques to attack. Everything we do in public online forums is susceptible to being misused by these attackers, and we need to be very cautious while using social media.
Quick Heal detects all such applications with Android.SMForw.GEN50605.