Malicious Android apps disguised as TikTok and offers for free Lenovo laptops are being used in ad-stuffing attacks underway against devices on the Jio telecom network in India, security researchers warn.
Researchers from Zscaler report this threat actor has been operating various phishing scams since March 2020, all using recent headlines as lures.
Their most recent socially engineered messages try to convince users to download their fake version of TikTok by saying the app, which is banned in India, is now available, the report found. Another scam misleads victims into thinking they’re eligible for a free Lenovo laptop courtesy of the Indian government.
The Jio User Attack
“The malware involved has features that are also commonly found in other families as well, e.g. it follows common methods of persistence, and propagation using victim’s contact information,” Deepen Desai, Zscaler CISO, told Threatpost. “The attack campaign is fairly targeted and leverages trusted resources like Weebly and GitHub for distributing the malicious content to the victims.”
Targeted but widespread: Jio telecom serves more than half of India’s internet subscribers, which according to a March 2020 report from the Indian Telecom Regulatory Authority topped 743 million people.
He added that the Zscaler team observed more than 200 malicious Android apps using “themes related to current affairs in India.”
Threat actors blast out an SMS or WhatsApp message to numbers on the Jio network with the phishing lure message and a link to take advantage of the fraudulent offer, the report showed. The link leads to a Weebly-hosted site controlled by the cybercriminals, it explained.
“In the original download request which we observed in Zscaler cloud, the user-agent string was: WhatsApp/188.8.131.52 which indicated to us that the link was clicked by the user in a WhatsApp message,” according to the analysis.
The report added additional examples of the URLs:
Website: https://tiktokplus[.]weebly.com/Shortened link: http://tiny[.]cc/Tiktok_pro
GitHub download link: https://github.com/breakingnewsindia/t1/raw/main/Tiktik-h[dot]apk
Once the target is on the malicious site, the attacker attempts to get the user to download an Android package (APK) file.
In the case of the Lenovo-themed attack, the APK calls datalaile.class, which first checks if it has permissions, if not, a message displays that says, “Need Permission to start app!!” the report said. Once permissions are granted, a form asking for a username and password is displayed.
The next step in the chain is for the attackers to try and spread the malware as far and wide as possible. In the TikTok attack example, the malware prompts the victim to share the malicious link on WhatsApp 10 times.
“There is no check to identify if WhatsApp is installed or not,” the researchers said. “In case WhatsApp is not installed, a Toast message is shown reading ‘WhatsApp not installed,’ but the counter still decrements.”
Once the message is shared with 10 others, the congratulations message is delivered, which when clicked calls clickendra.class which displays ads, ending with a final message that “TikTok will start in 1 hour.”
The Ad-Stuffer Malware
“These apps are used by the threat actor to generate revenue by displaying interstitial advertisements to the user,” the report said. “There are two software development kits (SDKs) used for this purpose. If it fails to retrieve advertisements using one SDK, then it uses the next SDK as a fail-over mechanism.”
They added that the two SDKs observed in the app were AppLovin and StartApp.
“Before displaying the ads, a fake view is created for the user which contains a fake text message and a fake progress bar on top of all the elements,” the report added. “After setting the fake view, a request to fetch the ads is sent. If the ad is received successfully, then it is displayed and the fake progress bar is hidden, else a request to load the next ad is sent.”
If the ads fail to load, the Zscaler team observed, the ad-stuffer malware calls lastactivity.class to display a message to the victim, asking them to “Click on ad and install app to continue.”
“It changes the content view, initializes the StartApp SDK again and creates a fake progress bar as earlier,” the report said. “If the ad is received, then it is displayed to the user.”
The Malware Spreader
The code used to propagate the bug is felavo.class, which the researchers said performs two key functions: Initialization and spreading the malicious link through SMS texts, which are sent only to other Jio customers.
“The decoy message used to spread the application is stored in encrypted form,” the report explained. “In the initialization phase, the service configures the cryptographic context, which is later used to decrypt the decoy message.”
The malware looks through the victim’s contact list to find other Jio-associated numbers by fetching a list of contacts, organizing them and creating a clean list, the team found.
Zscaler said it will continue to monitor the threat actors, but users need to be aware these threats are out there and take precautions to protect themselves, Desai added.
“Always rely on trusted app store like Google Play when downloading any applications,” he advised. “Do not download apps from unsolicited messages even if they arrive from your trusted contacts.”
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.