Trending

ee-track">
Link copied!

Android SMS Worm Impersonating COVID-19 Vaccine Registration App Spreads via Text Messages

Android users are being targeted by malicious software that tricks users into downloading a fake COVID-19 Vaccination Registration app that collects sensitive information from the user’s device. The malware uses the contacts fetched from the device to spread to the other devices via text messages.  The variant of this malware is known as “SMS Worm”. An SMS-Worm is a malware variant that sends SMSes containing a…

May 3, 2021 · 7 min read
Android SMS Worm Impersonating COVID-19 Vaccine Registration App Spreads via Text Messages

Android users are being targeted by malicious software that tricks users into downloading a fake COVID-19 Vaccination Registration app that collects sensitive information from the user’s device. The malware uses the contacts fetched from the device to spread to the other devices via text messages. 

The variant of this malware is known as “SMS Worm”. An SMS-Worm is a malware variant that sends SMSes containing a link to a website. Once the unsuspecting user clicks the link, it downloads the worm’s executable code into the victim’s mobile phone, thereby infecting their devices. In addition, it automatically sends a copy of itself to every contact listed in the mobile phone’s Contacts list.  

Here is a list of the activities performed by this malware on the user’s device: 

  • Enabling unauthorized access or restricting access to private accounts and services 
  • Using the device for unauthorized activities 
  • Exposing personal data from the user’s mobile device and accounts 
  • Unauthorized deletion of data from the mobile device or services 
     

Some of the common ways in which this malware is distributed are listed below: 

  1. Direct distribution: Sending direct SMS attack messages containing the mobile malware to the user. 
  1. Secondary distribution: Spreading supplementary malware to more users via SMSes that “seize” the victim’s mobile devices. 

 
In a recent tweet, a researcher shared the information about an android app that impersonates as an COVID-19 Vaccination Registration app and spreads through text messages. Our investigation indicated that this malware campaign is currently targeting India as the country struggles with the ongoing onslaught of the pandemic. It spreads itself to the victim’s contacts via SMSes containing a link to download this malware. In our search to find the source of the app, we found  from twitter with many abandoned repositories that contains the list of similar apps under different names and functionalities but replicates the same permissions and entry points, assuming all were from the same developer.thread from Twitter with many abandoned repositories containing the list of similar apps under different names and functionalities which replicate the same permissions and entry points. These apps seem to have been developed by the same developer. 

Furthermore, on downloading the Apk file from the repository and scanning it through VirusTotal, we were able to identify it as a fake malware app based on the antivirus signatures “Malware.ANDROID/FakeApp.SRDD.Gen”, as shown in the Fig. 1. 

report-ad-banner
image 21

Figure 1 VirusTotal Detections of the App 

Technical Analysis:

Digest used for our analysis: 5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4

 Package Name: com.halorozd.meditation 

Main Activity: com.halorozd.meditation.MainActivity 

After performing static analysis on the above app, the permissions used by the malware were found from the application. These have been showcased in the Fig. 2. 

image 20

Figure 2 Permissions requested by the app 

Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are listed below: 

Permissions: 

  • android.permission.ACCESS_FINE_LOCATION  
  • android.permission.SEND_SMS  
  • android.permission.READ_PHONE_STATE  
  • android.permission.ACCESS_COARSE_LOCATION  
  • android.permission.INTERNET  
  • android.permission.READ_CONTACTS 

Services: 

  • com.halorozd.meditation.blasting  
  • com.startapp.sdk.adsbase.InfoEventService  
  • com.startapp.sdk.adsbase.PeriodicJobService 

Receivers: 

  • com.startapp.sdk.adsbase.remoteconfig.BootCompleteListener 

Intent Filters by Action: 

  • android.intent.action.MAIN 
  • android.intent.action.BOOT_COMPLETED 

Using the above permissions granted by users, the following activities are performed in the user’s devices: 

  1. Checks whether the Android Debug Bridge (ADB) (a versatile command-line tool that lets you communicate with a device commands) is enabled and running 
image 15

Figure 3 Checks the status of the ADB 

  1. Checks whether the analysis is performed through a device or an emulator

Figure 4 Build Model of the device 

  1. Checks for the devices that are connected to the victim’s device through Bluetooth 
image 18

Figure 5 Scans for the Bluetooth Devices 

  1. Sends text messages to other devices using SMS Manager 
image 16

Figure 6 Sends SMS through SMS Manager 

  1. Also checks whether the app is currently debugged 
image 14

Figure 7 Code to check the app is debugged 

  1. Checks the state of the SIM card from the victim’s device 
image 13

Figure 8 State of the Sim from User’s Device 

  1. Fetches the network operator name 
image 17

Figure 9 Query on the Network Operator Name 

  1. Gets phone contact information from the victim’s device 
image 19

Figure 10 Queries Phone Contact Information 

New variants of SMS-worms for Android do not appear very often, and this particular variant is an interesting piece of malware and part of a unique attack. Besides tricking unsuspecting users into installing a worm and other software that they may not want; the worm can also use up their billing plan by automatically sending messages without their knowledge. 

Safety Recommendations: 

  1. Keep your antivirus software updated to detect and prevent malware infections. 
  1. Keep your system and applications updated. 
  1. Use strong passwords and enable two-factor authentication during logins. 
  1. Verify the privileges and permissions requested by the app before granting access. 
  1. People concerned about the exposure of their stolen credentials in the dark web can register at AmIBreached.com to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic Technique ID Technique Name 
Defense Evasion T1406 
T1523 
1. Obfuscated Files or Information 
2. Evade Analysis Environment  
Discovery T1421 
T1422 
T1430 
T1426 
T1424 
1. System Network Connections Discovery 
2. System Network Configuration Discovery 
3. Location Tracking 
4. System Information Discovery 
5. Process Discovery 
Collection T1432 
T1430 
T1507  
1. Access Contact List 
2. Location Tracking 
3. Network Information Discovery 
Command and Control T1573 
T1219 
1. Encrypted Channel 
2. Remote Access Software 
Network Effects T1449 1.Exploit SS7 to Redirect Phone Calls/SMS 
Impact T1447
T1448 
1.Delete Device Data 
2. Carrier Billing Fraud 

Indicators of Compromise (IoCs): 

IOC  IOC Type  
5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4 SHA256   
hxxps://awsdus.api[.]p3insight[.]de/isupload/upload_check_lumen[.]php Interesting URL 
hxxps://geoip.api.p3insight[.]de/geoip/ Interesting URL 
hxxp://tiny[.]cc/COVID-VACCINE Interesting URL 
202.83.21[.]14 IP address 
216.58.212[.]170 IP address 

About Cyble:  

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.   

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams