The Government of India launched a mobile application called Aarogya Setu for easy contact tracing of people during the Covid-19 pandemic. It has a record-breaking number of downloads in a very short span of time on Google Play Store. As per government stats, it has more than 10 crore registered users and the number is growing everyday.
Riding on this wave, malware authors are misusing the name ‘Aarogya Setu’ to plant malicious apps into the end users’ phone. We collected many applications from various sources that impersonate the original Aarogya Setu App. While analyzing these applications, we found some malicious applications that looked exactly like the official app. All the samples that we have are modified versions of previously found malware with few minor changes done to give a look similar to the Aarogya Setu App.
Here is a comparative analysis of a few of these malicious lookalike apps:
All of these samples use Spynote RAT.
Spynote is a RAT (Remote Administration tool), which allows malware authors to take complete takeover of an infected device. It has different versions that has evolved over time and provides different features for spying on infected devices. These features mainly include stealing SMS messages, contact details etc. Spynote has its own site – spynote[.]us. The domain is seized by FBI recently.
fig.1 Seized Spynote domain
Here is a comparison of the old malware APK and the recent Aarogya Setu Fake application,
Old Malware sample IOC : 7ab951806650fb865436f03dedc0555b
Aarogya Setu Fake sample IOC : df5698d5aef850b217cbbfa9789bd347
Both these apps carry legitimate application in its “res/raw” directory named as “google.apk”. These files are of applications which they want to make as a target. For this Aarogya Setu Fake app it is an apk file of Official Aarogya Setu app. At the time of launch, the malware installs this legitimate application and hides itself. After that it starts its malicious activity silently in the background.
fig.2 (a) is code snippet of message stealing code from implemented onReceive method of the BroadcastReceiver class C10. In this method malware takes message text and assigns it to variable from C11 service. This service in these applications is responsible for their malicious activity. These two apps have similar code.
fig.2(a) Aarogya Setu Fake app code accessing SMS text
As the fake Aarogya Setu app is targeting the official Aarogya Setu application, malware authors have done changes accordingly. They have added Aarogya Setu icon in ic_launcher. To set the name of application as Aarogya Setu, they have changed the value of android:label in AndroidManifest.xml and as per that value is changed in res->values->string.xml. See in fig.2(b).
fig.2(b) Icon comparison
IoC’s ( Apps which impersonate Aarogya setu app and/or use similar package name or same icon or both) –
We came across one application which is a patched version of the official Aarogya Setu application version 1.04. The app is created by patching the official app with package name “xrcpryfabq.peotrafpop”. This package contains Metasploit code.
What is Metasploit? – Metasploit is an exploitation framework used for penetration testing. It contains many exploits and payloads. Here this Metasploit has Trojan downloader code. Malware authors just added one line of the code to start activity from Metasploit code without changing the remaining code of the official app.
Fig.3(a) shows that one line added code nwvrhdtun.start() in Oncreate method of application class to start Metasploit activity , Fig.3(b) shows added Metasploit package xrcpryfabq.peotrafpop.
Below fig.3(c) shows package from Metasploit payload, which is created using “msfvenom” command. Same package is patched in the official Aarogya Setu application to convert this into a malicious application.
Malicious App IoC: 2b67566ecdb6fb9fb625508cc0bafa97
We got some malicious samples that use the same package name as Aarogya Setu’s i.e.”nic.goi.aarogyasetu”. All these samples are trojan dropper malware. The code used is similar to the code used in the infected CamScanner application that surfaced last year.
These samples contain encrypted “mutter.zip” file in its asset directory. There is a class named as “Duration” which has a code to decrypt this mutter.zip file. This mutter.zip file contains malicious code for downloading malware files.
Fortunately, these fake Aarogya Setu applications will not get installed on users device, as one of the attribute of application tag in manifest file “android:testOnly” is set to true and these apps are not properly signed. Looks like these malwares are in development phase but in future malware authors may come up with improved versions of these.
Below IOC’s are of malicious samples which have similar package name as of Aarogya Setu application:
These applications are not available on Google Play Store, but still malware authors are trying to promote these to unsuspecting users by various ways. How they can do this? This section tries to answer this question.
While searching for Aarogya Setu related videos on YouTube, we came across one video on “how to download Aarogya Setu app”. This video is uploaded one month back but still is an example of spreading vector.
In the comment section of this video one person commented a link saying that this is an alternate link to download the Aarogya Setu app. This link opens a page with option to generate link, after clicking on that it redirects to different page each time. In this process, it downloads an apk with name “setting.apk” [IOC: da4eca06258b72341abe469c3d022d81] and this is nothing but a trojan dropper app.
fig.4 YouTube comment promoting malicious App
You may have seen messages offering free data, free subscriptions with some link mentioned. These types of messages are generally used for spreading such malwares. Please check this blog – Beware of scams during this crucial time of CoronaVirus pandemic for more information.
Quick heal mobile security detects all the samples mentioned above.