Android apps targeting JIO users in India

Introduction

In March 2021, through Zscaler cloud we identified a few download requests for malicious Android applications which were hosted on sites crafted by the threat actor to social engineer users in India. This threat actor leverages latest events and news related to India as a social engineering theme in order to lure users to download and install these malicious Android apps.

We identified several GitHub accounts which are hosting malicious Android mobile apps (APK files) and web pages which are used actively in this campaign.

One of the Android apps masquerades as a TikTok App. In 2020, the TikTok app was banned by the government of India. Attackers are leveraging that theme to lure the users by misinforming them that TikTok is available in India again.

Another instance we observed recently involved the threat actor leveraging a “Free Lenovo Laptop” scheme by Indian government.

In this blog, we will describe the complete infection chain, and the timeline of this threat actor highlighting how they have changed the theme over a period of time to distribute the malicious Android apps.

Timeline

Per our research, this threat actor has been active in-the-wild since as early as March 2020. We observed a pattern in their tactics, techniques and procedures (TTPs). They leverage popular themes and current events in India and use them as a social engineering technique to lure the user to download their application.

The graphical timeline below shows the different themes used by the threat actor over a period of time.

Figure 1: Timeline showing different themes used by threat actor

Attack flow

Attack infection chain begins with an SMS or a Whatsapp message where the user receives a shortened URL link which ultimately redirects to a website hosted on Weebly and controlled by the attacker. The content of this site is crafted based on current events in India and used for social engineering.

Figure 2: Attack flow

In the original download request which we observed in Zscaler cloud, the user-agent string was: WhatsApp/2.21.4.22 which indicated to us that the link was clicked by the user in a WhatsApp message.

As an example, in one of the instances, the shortened URL redirected the user to the website: https://tiktokplus[.]weebly.com/ which looks like shown in Figure 3.

Shortened link: http://tiny[.]cc/Tiktok_pro
URL: https://tiktokplus[.]weebly.com/
GitHub download link: https://github.com/breakingnewsindia/t1/raw/main/Tiktik-h.apk 

Figure 3

This webpage misinforms the user that the TikTok application is available again in India and lures them to download it. The actual APK file is hosted on an attacker-controlled GitHub account.

GitHub account name: breakingnewsIndia
GitHub download link: https://github.com/breakingnewsindia/t1/

During our research on this threat actor, we also identified several more GitHub accounts and the complete list is available in the Indicators of Compromise (IOC) section.

Figure 4 and Figure 5 shows two more such GitHub accounts.

Figure 4

Fivegcovert (5G Covert)

Figure 5

The latest theme used by this threat actor is related to “Free Lenovo laptop scheme by Indian Government”.

Shortened URL: hxxps://tiny[.]cc/Register-Laptop
Final URL: hxxps://govlapp[.]weebly.com/

MD5 hash of APK file:  f9e5fac6a4873f0d74ae37b246692a40 
Package name:  com.jijaei.pikapinjan 

Figure 6 shows the website crafted by the attacker and hosted on weebly.com which misinforms the user and lures them to download the APK file.

Figure 6

Technical analysis

For the purpose of technical analysis we will look at the APK file with MD5 hash: 5e0ac8784dae349cfa840cbef5bd3dfb

Package name:  heartrate.tracker.cameras 
Mainactivity:  heartrate.tracker.cameras.MainActivity 

Important code sections included below.

// MainActivity

MainActivity does nothing more than simply calling the datalaile.class

// datalaile.class

The datalaile.class performs the following operations:

1. Checks if required permissions are granted.
2. If permissions are not granted, request them and if the user denies the permissions shows a Popup message mentioning “Need Permission to start app!!” and again asks the user for permissions
3. Starts the malicious service from “felavo.class” when permissions are granted
4. Displays a form for Username and Password input
5. Performs validation on the entered Username and do further operations

Figure 7: Getting permissions and starting malicious service

Username Validation

Although the Username is expected to be in the form of a mobile number as per the error message but there is no explicit check for that. It only checks if the Username length is at least 4 characters else displays a message asking the user to enter the correct number.

Figure 8: Username validation

If the check passes it shows a Popup message to start TikTok which when clicked calls the sendmsg.class

// sendmsg.class

The sendmsg.class prompts the user to share the app 10 times on WhatsApp. There is no check to identify if WhatsApp is installed or not. In case WhatsApp is not installed a Toast message is shown “WhatsApp not Installed” but the counter still decrements. 

The shared message has the following content:

“*Tiktok is back in India*\n\n*Enjoy Tiktok Videos again and also*\n*make Creative videos again with*\n*new Features.*\n\n*Tiktok is now Partner with Jio.*\n\n*NOTE : All users can use their old Id.*\n\n*Now Tiktok is only available on*\n*TiktokPro android app.*\n\n*Link:* http://tiny.cc/Tiktok_pro” 

As we can see, the above message contains a shortened URL which lures the user into downloading this malicious app.

Figure 9 shows the code flow for sharing the app on WhatsApp

Figure 9: Sharing app on WhatsApp

Figure 10 shows the interface displayed by the app which prompts the user to share it with their contacts through WhatsApp 10 times.

Figure 10: Message shown to user to prompt sharing with contacts through WhatsApp 

After the app is shared 10 times on WhatsApp, the user is displayed a congratulation message with a Continue button which when clicked calls the clickendra.class

// clickendra.class

The clickendra.class asks the user to perform a few more steps to get started with the app, then displays some Ads to the user and finally shows a message that Tiktok will start in 1-HOUR.

Figure 11 below shows the final message displayed to the user

Figure 11: 1-HOUR app start message displayed to the user 

Display Ads

These apps are used by the threat actor to generate revenue by displaying interstitial advertisements to the user. There are two software development kits (SDKs) used for this purpose. If it fails to retrieve advertisements using one SDK, then it uses the next SDK as a failover mechanism.

Below two SDKs were used in the app.

1. AppLovin
2. StartApp

At first, the AppLovin SDK is initialized and context is set. In order to leverage AppLovin SDK to display advertisements, a developer needs to use the SDK key obtained from AppLovin interface. In the case of this app, we can find the SDK key configured in AndroidManifest.xml as shown in Figure 12.

Figure 12: AppLovin SDK key configured in AndroidManifest.xml file

Before displaying the Ads a fake view is created for the user which contains a fake text message and a fake progress bar on top of all the elements.

After setting the fake view, a request to fetch the Ads is sent. If the Ad is received successfully, then it is displayed and the fake progress bar is hidden, else a request to load the next Ad is sent.

If the next Ad load request also fails, then the StartApp SDK is initialized to load the Ads. If startApp SDK is also unable to receive the Ad, then the “lastactivity.class” is called.

Figure 13 below shows the Ad displayed to the user

Figure 13: Ad displayed to the user

// lastactivity.class

It changes the content view, initializes the StartApp SDK again and creates a fake progress bar as earlier. If the Ad is received, then it is displayed to the user, else the message shown in Figure 11 above is displayed and no further activity is done. 

// Inside the service felavo.class

The main objective of the code implemented for the service is to spread the malware to more users. The service felavo.class performs the following operations:

Initialization

The decoy message used to spread the application is stored in encrypted form. In the initialization phase the service configures the cryptographic context which is later used to decrypt the decoy message. 

Note: In some cases it is just the left over code which executes but the decrypted decoy message is never used. Instead a hard coded message is already configured in the function where the decrypted decoy message is supposed to be used.

Among all the analysed samples we found two cryptographic algorithms in use:

1.  AES/CBC/NoPadding

     128-bit Key: 9876543210wsxzaq

2. DESede 

    Key: ThisIsSpartaThisIsSparta

SMS-based spreading

The spreading operation performed by the service is through SMS. Currently the malware targets only JIO customer base. Before sending the SMS to any number in the infected device’s contact list, the malware confirms that the operator is JIO. Methods of identification are explained under the Contacts Operator Identification section.

SIM Identification

SIM identification is done to determine the SIM slot to be used later for sending the SMS.

To identify the SIM card following operations are performed:

1. If Android SDK version >= 22 and READ_PHONE_STATE permission is granted, then fetch Sim slot number and Carrier name else fetch the operator names corresponding to the SIM cards on the current device.
2. Checks if fetched information contains - JIO, AIRTEL, IDEA, VODAFONE or VI
3. If any of the above string is present then check and return the SIM slot number else return the value “default”

Figure 14: Fetching SIM information

Figure 15: Matching operator string

Contacts Operator Identification

As stated earlier, the targeted user base for the attacker is JIO users. The contact numbers in the user’s contact list are identified to be JIO users in two steps:

Note: Before identification, all the contacts are fetched, sanitized, processed as per specified format and then saved in a list.

Step-1: There is a hardcoded list of the first 4 digits of mobile numbers that are specific to JIO. All the retrieved contacts are checked using this list and a separate list of identified contacts is created.
 
Figure 16 below shows the code which uses the mobile number as an input and checks the first 4 digits.

Figure 16: Checks first 4 digits of the mobile number

Step-2: The numbers which are not identified in the first step are identified again by sending a network request to the URL “https://www.jio.com/api/jio-recharge-service/recharge/mobility/number/”, configured with all the required parameters. Identified contacts are again stored in a separate list.

Figure 17 below shows the network request sent with required parameters and checks performed on response data

Figure 17: Sending network request and checking response 

If the response code is success then it perform two checks:

1. If the response data contains “NOT_SUBSCRIBED_USER” then the mobile number doesn’t belong to a JIO user 
2. If the response data contains the mobile number being identified then it is a registered JIO user

Sending SMS

Identify SIM slot to send the SMS based on the value of the second parameter which is the value obtained from the SIM identification section.

Figure 18 below shows the code snippet responsible for sending SMS

Figure 18: Sending SMS

Zscaler cloud sandbox report

Figure 19 shows the Zscaler Cloud Sandbox successfully detecting this Android mobile-based threat.

Figure 19: Zscaler cloud sandbox report

 

Summary of TTPs

We can summarise the tactics, techniques and procedures (TTPs) as follows.

• They use tiny.cc URL shortening service to create shortened URLs which are sent in messages in the spreading stage.
• Web pages are hosted on weebly.com on an attacker-controlled account.
• The actual APK file is hosted on a GitHub account which is registered by the attacker. Names of these accounts are chosen to look relevant to India or themes popular in India.
• The AES / DES decryption keys in the code are re-used by the threat actor.
• Users of JIO mobile service provider in India are specifically targeted.

Conclusion

This threat actor stays up-to-date with the latest events in India and leverages them for social engineering.

Users must exercise caution before downloading and installing Android applications from untrusted and third party sources, even if these links are received from mutual contacts on their Android device. Also, as seen in this attack, the malicious download links are sent through user's existing contact list.

Apps such as TikTok must only be downloaded from official sources.

The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe.
 

MITRE ATT&CK table

 

 

Indicators of Compromise

MD5 hashes

// Laptop Theme

f9e5fac6a4873f0d74ae37b246692a40
b9db0c60100099d860b9ef42e6b3903a
f1187f4d6135264e5002fcfdf43643e9

// PUBG Theme

ba4011653e604dd4dab34da5e71cbdb4
220f70660921b76e06da148bc2ace554

// Cricket Theme

68a4a08947524ce9da09017fc4309149
998b3d9f0e895d20be8668ac86958fd9
36dc28525e1e84a94d57b6050903ec4b

// Corona Theme

2cd7e237cbf99e483573c11a11db9223

// TikTok Theme

Note: This is the truncated MD5 list

5bf513f7fd5186eaa1be8fab370bd510
6a69e2810a361c4e58433cbf7d9d6a5a
73dc187df641640e541727b151a1112c
f6cb20a637717c13633940c5f3f1a06e
e3afb7ce2763b52f3a192f4278b12932
4cde87788d35305aa4973cca79b41e51
0d7e6b85961b0d517e68f9f6e33b557f
a07f658338aa7c0aa4f26dfe985d5ef6
595e51779d7dbd760f8a82f3b8041594
d14719a50b6e66e53100605529ece5d8
0b6643d94e40318c9aefbc0d5f1fc3b4
5157a53a086473b4c28f3c6d04ff6702
d871d8d9b934e83e2dc1391a905e2871
41aa8fbe680eab948123fe3a7d7d20ee
a6c3b1184b467a5ecc484940c7a5898e
622a8f4f9f892dc65454ff15343f56d9
b6180d14e8a3e3abb7161fd379e2b3e4
f960fb6a092b9c681e7699af9825ffd1
d0d8743c7c1edb42a3036f013bb73f4f
d6fb317d9914c72664d3a4f343e41a7f
2105a7d8bc46ff14a1a3be5de5d2fb2e

// JIO theme

a1a3d79b29884326a8d6df8eb3468758
b392d35e2eff810193398a8b1148d7c6
2867450cc6c0bc491fcd9ded1f5e928e
3476bed0f34113bd53f08f1b78d157e9
381b0e3e9635c0582a085c3f66aa73b1

Few unique package names

com.jijaei.pikapinjan
heartrate.tracker.cameras
com.jadhalno.goplotu
vaccine.india.cororegister

Few distribution URLs

hxxp://tiny[.]cc/Tiktok_pro
hxxps://bharatnewsin[.]weebly.com/
hxxps://tiny[.]cc/Register-Laptop
hxxps://govlapp[.]weebly.com/

Github usernames

samakaka123
Newindiannews
Breakingindianews
Hotstarvip
Tiktoksproaccount
Tiktokprousers
Indiantik
Tiktokproaccount
Tiktokprov2
Ind-bucket
Kikalalo753
Quotamangem
Tiktosjij
Tiktoind
D869
Tiktopro
Go-laps-register
Mytiktokv1
Tiktokprousers

References

https://www.zscaler.com/blogs/security-research/tiktok-spyware
https://twitter.com/LukasStefanko/status/1244899827810480130
https://twitter.com/malwrhunterteam/status/1303031255114690562