/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow Us/pcq/media/media_files/TYOI9h1IfYzNA4bUw4gK.png)
CloudSEK has uncovered a sophisticated Android malware campaign targeting Indian users through fake traffic e-challan messages on WhatsApp. The campaign involves scammers sending deceptive messages that impersonate the Parivahan Sewa or Karnataka Police, coercing victims into installing a malicious app designed to steal personal information and facilitate financial fraud.
Modus Operandi
CloudSEK researchers identified that attackers distribute the malware through WhatsApp messages disguised as traffic violation notices. Clicking the link in these messages initiates the download of a malicious APK, which masquerades as a legitimate application. Once installed, the malware requests extensive permissions, including access to contacts, phone calls, and SMS messages, and even seeks to become the default messaging app.
The malware, part of the Wromba family, compromises the device by intercepting OTPs and other sensitive messages, enabling attackers to log into victims' e-commerce accounts, purchase gift cards, and redeem them. The use of proxy IPs helps the attackers avoid detection and maintain a low transaction profile to evade fraud detection mechanisms.
Key Findings
1. Malware Distribution: The malicious .apk file is distributed through WhatsApp, posing as Karnataka police issuing fake challan messages.
The malware requests extensive permissions during installation, including access to contacts, SMS messages, and device information.
2. Data Theft and Analysis: Once installed, the malware steals data and forwards it to a Telegram bot controlled by the attackers.
3. Impact: To date, 4,451 devices have been infected.
Attackers have accessed 271 unique gift cards, conducting transactions worth Rs. 16,31,000.
Gujarat has been identified as the most affected region, followed by Karnataka.
Technical Details
Persistence: The malware hides itself in the device's settings, making it difficult to detect.
Encryption: The code is heavily obfuscated using AES encryption to evade analysis.
Data Exfiltration: Stolen data is forwarded to Telegram, with additional configuration settings managed through Firebase buckets.
Operational Insights
CloudSEK researchers traced the attackers to Bắc Giang Province in Vietnam based on conversations and IP addresses. "Vietnamese threat actors are targeting Indian users by sharing malicious mobile apps on the pretext of issuing vehicle challan on WhatsApp. Once installed, the app extracts all the contacts to scam more users. The app also forwards all the SMSes to the threat actors, thus allowing them to login to various e-commerce and financial apps of the victim. From where they siphon off the money in the form of gift cards,” said Vikas Kundu, Threat Researcher at CloudSEK.
Mitigation Recommendations
Antivirus and Anti-Malware: Use reputable software to detect and remove malicious apps.
App Permissions: Limit app permissions and regularly review them.
Trusted Sources: Only install apps from trusted sources like Google Play Store.
Updates: Keep the device's operating system and apps up to date.
SMS Monitoring: Use tools to monitor and alert on suspicious SMS activity.
Account Alerts: Enable alerts for banking and sensitive services.
Education: Raise awareness about the risks of unverified apps and phishing attempts.
CloudSEK urges users to stay vigilant and adopt security best practices to protect against such malware threats. By maintaining updated systems and being cautious about app permissions, users can reduce their risk of infection.