CloudSEK has exposed a highly technical Android malware campaign targeting Indian users through fake traffic e-challan messages on WhatsApp.
Scammers scare their targets by sending fake e-challan messages impersonating the Parivahan Sewa or Karnataka Police to trick victims into installing a malicious app that steals personal information and facilitates financial fraud. The malware, identified as part of the Wromba family, has infected over 4,400 devices and led to fraudulent transactions exceeding Rs. 16 lakhs by just one scam operator. There are many scammers using similar malicious malware to cheat users.
Modus Operandi
CloudSEK researchers found that attackers distributed the malware through WhatsApp messages claiming to be challan (traffic violation fine) notices. Clicking the link within the message led to the download of a malicious APK disguised as a legitimate application.
Once installed, the malware requested excessive permissions, including access to contacts, phone calls, SMS messages, and the ability to become the default messaging app.
As the malware compromises a device, it intercepts OTPs and other sensitive messages, enabling attackers to log in to victims’ e-commerce accounts, purchase gift cards, and redeem them without leaving a trace. The attackers use proxy IPs to avoid detection and maintain a low transaction profile to evade fraud detection mechanisms.
Key Findings
Threat actors are distributing a malicious .apk file through WhatsApp, masquerading as Karnataka police issuing fake challan messages. The malware, upon installation, requests extensive permissions, including access to contacts, SMS messages, and device information. Once installed, it steals data and forwards it to a Telegram bot controlled by the attackers. To date, 4,451 devices have been infected, and the attackers have accessed 271 unique gift cards, conducting transactions worth Rs 16,31,000. Gujarat has been identified as the most affected region, followed by Karnataka.
Technical Details
The malware hides itself in the device’s settings, making it difficult to detect. It employs heavy obfuscation using AES encryption to evade analysis. The stolen data is forwarded to Telegram, with additional configuration settings stored in Firebase buckets.
Modus Operandi
Attackers gain access to victims’ phone numbers and SMS messages, allowing them to log into e-commerce and payment apps using intercepted OTPs. Gift cards are purchased and redeemed to avoid direct fund transfers. Researchers have identified the attackers as Vietnamese, based on conversations and IP addresses traced to Bắc Giang Province in Vietnam.
“Vietnamese threat actors are targeting Indian users by sharing malicious mobile apps on the pretext of issuing vehicle challan on WhatsApp. Once installed the app extracts all the contacts to scam more users. The app also forwards all the SMSes to the threat actors thus allowing them to login to various e-commerce and financial apps of the victim. From where they siphon off the money in the form of gift cards,” said Vikas Kundu, Threat Researcher, CloudSEK.
Mitigation Recommendations:
- Antivirus and Anti-Malware: Use reputable software to detect and remove malicious apps.
- App Permissions: Limit app permissions and regularly review them.
- Trusted Sources: Only install apps from trusted sources like Google Play Store.
- Updates: Keep the device’s operating system and apps up to date.
- SMS Monitoring: Use tools to monitor and alert on suspicious SMS activity.
- Account Alerts: Enable alerts for banking and sensitive services.
- Education: Raise awareness about the risks of unverified apps and phishing attempts.
CloudSEK urges users to stay vigilant and adopt security best practices to protect against such malware threats. By maintaining updated systems and being cautious about app permissions, users can reduce their risk of infection.