Initial vector:
Whatsapp spam user posing as union bank with logo in user profile shared apk file named as “Union Bank Aadhaar Update.apk” to update aadhar
APK analysis:
File hash: 18dfaf2f9927645699ceb80a51b45980c4dcf2f7
APK files are Android package files binary format is ZIP archive containing following files when unzipped
Some of the key files
AndroidManifest.XML - it has information about name, version, access rights and referenced library files for the application. It can be in android binary file which can be converted to readable XML.
Classes.dex - Source which is compiled to dex file format executed by Android runtime
To read more about this: apk (file format) - Wikipedia
We will use jadx : GitHub - skylot/jadx: Dex to Java decompiler
AndroidManifest.XML
Based on permission following can do following
- READ_SMS – it can read SMS stored in user phone or sim card
- RECEIVE_SMS – when application is in foreground it can listen to coming SMS and read it (This is used for OTP Validation by an app)
- SEND_SMS – ability to send SMS when running in foreground
- FOREGROUND_SERVICE_DATA_SYNC – ability to sync client data to remote server
This gives overview of what capabilities this application can have when running in user mobile.
Application specific code can be found under “com” folder
Now find the server that this app connects to
This where it's been hosted for last 7 days when we identified this
Hosted by wildwestdomains a subsidiary of GoDaddy
Then we will see API call made to this domain
Following HTTP method (GET/POST) invoked against specific path in server
Usually, the GET method is used to get information from the server and POST to send data to server. So, we will investigate POST function for what the data sent to server is.
first.php (php are server-side scripting language) collects following information
Account number, date of birth and mobile number
second.php collects following information
atm pin, card validation value (CVV), card number, expiration date and mobile number
insert_message.php - collects following information
This reads sms message – message text, sender number, sender name, time and type (in this case its ”receive”) based on leaked data in the server this message all linked to banking /upi related messages.
Third.php - collects following information
it collects phone number and client details (unknown) getting posted.
Here is this backend server which is kept open with all stolen data
get_all.php - list all user bank financial data
get_message.php - list all user financial sms details
This has been reported to cert-in, hosting company and union bank of india. Now site has been taken down.
