Scam Alert: Fake COVID Vaccination texts sent by hackers to access user's personal info

Updated: Jun 4

Disclaimer- This blog post is strictly meant for educational purposes, to create awareness among people about such scams texts being circulated online so that they can defend themselves against such social engineering attacks. This blog post does not target any individual or group(s).


On 31st May 2021, I received an SMS from an unknown number. The message reads


"REGISTER FOR VACCINE NOW from age 18+
Register for vaccine using the CoWinHelp app.
Download from below.

Link: http://tiny.cc/CO_REGI"


Fake Vaccination SMS sent by Hacker
Fake Vaccination SMS sent by Hacker

By reading the message, I realized it's a fake message asking me to install a malicious app to gain access to my personal information. Being a tech-savvy person, I was curious to figure out how the app works, where did the shortened link redirect, endless questions came up in my mind, but I was not foolish enough to open the shortened link directly, the website link mentioned in the SMS is a shortened link & if the victim(me) directly opens the link, the hacker will get my IP address, the information of the device I'm using (specifications, operating system- Android/iOS) & even location.

So, instead of directly opening the shortened link in my browser, I reverted the shortened URL to the original URL using a random online browser testing service. After getting the original URL, I copy-pasted that URL in my real browser & visited the website, this time, I didn't have to worry about my IP address or other information getting exposed to the hacker because the website was hosted on GitHub pages, one can figure out from the URL itself & this time I was visiting the website using the original URL & not the shortened one which would store my information for the hacker.

It was a simple HTML website that looks like this. The COWin logo is copy-pasted from the official CoWin website and there's only one link on the website, which enables the user to download the malicious app.


Fake COWin Website created by the Hacker
Fake COWin Website created by the Hacker

To find out where the app's installed, I right-clicked on the hyperlinked text & clicked on 'Inspect element', and I found out that the app was hosted in a GitHub repository.

I opened the GitHub repository, the GitHub account was recently created (May 27, 2021).


Recently created GitHub account of the Hacker
Recently created GitHub account of the Hacker

The account had only 1 repository with 6 commits (changes made in a repository).

I quickly downloaded the app on my Kali Linux Virtual Machine and uploaded the app to the Virus Total website to scan it for malware, trojans etc.

This is what I found- 2 security vendors have flagged this file (the app) as malicious, it's a Trojan, a variant of Android/Oji.G.


Trojan in Fake COVID-19 Vaccination App
Trojan in Fake COVID-19 Vaccination App

I decompiled the app using Java Decompilers online to read its source code.

The app uses certain permissions when installed on your Android Device-


Fake Cobid-19 Vaccination App Permissions
Fake Cobid-19 Vaccination App Permissions

Vibrate

Access Network State

Internet

Read Phone State

Access Coarse Location

Foreground Service

Access Fine Location

Read Contacts

Write Contacts

Send SMS

Read Phone Numbers

Access WiFi state & much more...


Apk Details--

MD5 b200472e4fa760875dc2b8eaba89ad08

SHA-1 9488951fec2ddcc3df1cf9a564992bda1646d594

SHA-256 87fc5b1a171a535ab65fa53ba2dd422e2fcc4b8ac18dee291b44609c2c13d7d0

Vhash d3023b3d3bf944c004ae286f082c6eee

SSDEEP 98304:Y9eKHfr8SplpVaDM4fsS1J/gbInZGGHue27QUSe3vbClH/:YYalpnkZDZtJ5K3v2p/

TLSH T1D106E043F759A93FC473803386761636256ACD568A43C747796C721C2ABBAD80F4AFC8

File type Android

Magic Zip archive data

TrID Sweet Home 3D design (generic) (67.7%)

TrID ZIP compressed archive (25.8%)

TrID PrintFox/Pagefox bitmap (640x800) (6.4%)

File size 3.65 MB (3828487 bytes)


I searched for the unknown phone number's OSINT (Open Source Intelligence Data) using a tool named PhoneInfoga, but the tool results suggested the number isn't valid.


Invalid number
Invalid number

The next day on 1st June 2021, I visited the GitHub repository again at 20:41 IST & I found that the hacker has uploaded a new app on his GitHub repository and has also updated the link on his GitHub hosted fake CoWin website.

Here's the repository & the app link-

https://apicwin-web.github.io/apiv1/


https://github.com/apicwin-web/apiv1/raw/main/Register-COWI.apk


GitHub repository of the fake COVID-19 vaccination app
GitHub repository of the fake COVID-19 vaccination app

On 2nd June 2021, the hacker has deleted his website and the GitHub repository and also his account but here's the twist- the phone number which he used to send me the message turned active, the OSINT tool PhoneInfoga suggests so in its search results.


PhoneInfoga results of the unknown number
PhoneInfoga results of the unknown number


Deleted GitHub Repository of the hacker
Deleted GitHub Repository of the hacker

Now, I don't know whether this is the number of the real hacker or he's using someone's else number- let me explain, this malicious app uses the above-mentioned permissions & sends fake vaccination messages to Contacts saved in the smartphone. I have also checked the number on WhatsApp & it's active with a visible profile picture. According to some blog posts, it sends malicious SMS only to JIO numbers.

Beware of this kind of fake COVID-19 vaccination messages, please share this blog post for awareness. Thanks for reading, have a nice day!

14 views0 comments

Recent Posts

See All