SonicWall Capture Labs Threat Research Team Spots Fake Aarogya Setu App Carrying Spyware Components
By MYBRANDBOOK
As the world is battling against the Covid-19 pandemic, a number of Covid-19 tracking apps have been developed over the last few months. Various countries have taken the initiative of developing their own apps. Consequently, we witnessed the introduction of Aarogya Setu, the Indian Covid-19 tracking mobile application. The app gained immense popularity in India and crossed five million downloads within the first three days from its launch and consequently, became a target for malware creators.
SonicWall Labs Threats research team found fake Aarogya Setu apps holding spyware components. The team has found multiple scenarios in the way this cyber-scam functions:
There are a number of fake apps with the package name cmf0.c3b5bm90zq.patch. The same code is used for a majority of these apps. The malware author unrolls them by re-branding the icon and application name. In this case, the app is shown as the legitimate Aarogya Setu App, but with an imperfect copy. The icon appears stretched and can be identified when kept along-side the legitimate app.
Upon execution, we do not see any activity on the screen. However, after some time, the app icon disappears from the app drawer. This contains reference to a domain - johnnj2-37916.portmap.io - in the patch_preferences.xml file. During an analysis, the malware did not try to communicate with this domain, however this domain is connected to malicious apps.
Similar to case 1, a number of fake apps have been found with the package name yps.eton.application. In this case, the app has been shown as an Aarogya Setu Add-on app, which is not an official app. As the user installs and executes the app, it requests for the Device-Admin privileges and permission for installation from this source. To look less suspicious to the user, it also installs the official, legitimate Aarogya Setu App from its resource folder.
In this case, the malware author has successfully duplicated the official Aarogya Setu icon. Basis the icon, identification of this malicious app is difficult.
There was no network activity witnessed during our analysis session but there was a record of a domain – 204.48.26.131:29491 – within an xml file belonging to the app. This domain is related to another malicious Android app.
In all the three cases, the common element was the containment of spyware capabilities. All these apps contain code that is like the Android spyware SpyNote. This spyware can make phone calls, recording audio, send SMS, take pictures and record videos from the camera, and start the spyware every time the device reboots.
SonicWall Labs threats research team observed that some of these malicious apps are piggybacked on the legitimate Aarogya Setu app in the resources folder. These malicious apps install the legitimate app in the background, a technique used to fool the user into believing that the user installed the legitimate app. In reality, the malicious app executes its criminal functions in the background.
If the user deletes Aarogya Setu app from the device by long pressing the icon > uninstall method, only the legitimate app is removed, while the malicious app would still be available on the device. The only way to remove the malicious app is to remove it from settings > apps > uninstall. This trick has the potential to fool several users who are not vigilant.
Debasish Mukherjee as VP, Regional Sales - APAC at SonicWall says, “As the Aarogya Setu App gained popularity in India, it became a target for malware creators. The outbreak of Covid-19 has created new avenues for cyberattackers to explore, innovate and strike in every malicious way. With increasing cyberthreats it appears that cybercriminals are working overtime to create dissonance among mass app users. We advise Android users to exercise maximum caution while downloading and using the Aarogya Setu App.”
InterGlobe’s Rahul Bhatia and C.P. Gurnani together announce
In a move that is set to transform the AI landscape, Rahul Bhatia, Group M...
Download masked Aadhaar to improve privacy
Download a masked Aadhaar from UIDAI to improve privacy. Select masking w...
Sterlite Technologies' Rs 145 crore claim against BSNL rejecte
An arbitrator has rejected broadband technology company Sterlite Technolog...
ID-REDACT® ensures full compliance with the DPDP Act for Indi
Data Safeguard India Pvt Ltd, a wholly-owned subsidiary of Data Safeguard ...
BEETEL TELETECH LTD.
MATRIX COMSEC PVT. LTD.
VERSA NETWORKS INDIA PVT. LTD.
ZOHO CORPORATION PVT. LTD.
Technology Icons Of India 2023: Sunil Bharti Mittal
Sunil Bharti Mittal is the Founder and Chairman of Bharti Enterprises,...
Technology Icons Of India 2023: Rajeev Chandrasekhar
Rajeev Chandrasekhar is the Union Minister of State for Electronics an...
Technology Icons Of India 2023: C P Gurnani
CP Gurnani (popularly known as ‘CP’ within his peer group), is the...
C-DOT enabling India in indigenous design, development and production of telecom technologies
An autonomous telecom R&D centre of Government of India, Center of Dev...
STPI encouraging software exports from India
Software Technology Parks of India (STPI) is an S&T organization under...
ECIL continues to keep India ahead in the growth of Information Technology and Electronics
ECIL played a very significant role in the training and growth of high...
INFLOW TECHNOLOGIES PVT. LTD.
Inflow Technologies is a niche player in the IT Infrastructure Distrib...
IRIS GLOBAL SERVICES PVT. LTD.
Iris Global services is one of the leading distribution houses that d...
SAVEX TECHNOLOGIES PVT. LTD.
Savex Technologies is the 3rd largest Information & Communication Tec...