Updated: Jun 4
Disclaimer- This blog post is strictly meant for educational purposes, to create awareness among people about such scams texts being circulated online so that they can defend themselves against such social engineering attacks. This blog post does not target any individual or group(s).
On 31st May 2021, I received an SMS from an unknown number. The message reads
"REGISTER FOR VACCINE NOW from age 18+
Register for vaccine using the CoWinHelp app.
Download from below.
By reading the message, I realized it's a fake message asking me to install a malicious app to gain access to my personal information. Being a tech-savvy person, I was curious to figure out how the app works, where did the shortened link redirect, endless questions came up in my mind, but I was not foolish enough to open the shortened link directly, the website link mentioned in the SMS is a shortened link & if the victim(me) directly opens the link, the hacker will get my IP address, the information of the device I'm using (specifications, operating system- Android/iOS) & even location.
So, instead of directly opening the shortened link in my browser, I reverted the shortened URL to the original URL using a random online browser testing service. After getting the original URL, I copy-pasted that URL in my real browser & visited the website, this time, I didn't have to worry about my IP address or other information getting exposed to the hacker because the website was hosted on GitHub pages, one can figure out from the URL itself & this time I was visiting the website using the original URL & not the shortened one which would store my information for the hacker.
It was a simple HTML website that looks like this. The COWin logo is copy-pasted from the official CoWin website and there's only one link on the website, which enables the user to download the malicious app.
To find out where the app's installed, I right-clicked on the hyperlinked text & clicked on 'Inspect element', and I found out that the app was hosted in a GitHub repository.
I opened the GitHub repository, the GitHub account was recently created (May 27, 2021).
The account had only 1 repository with 6 commits (changes made in a repository).
I quickly downloaded the app on my Kali Linux Virtual Machine and uploaded the app to the Virus Total website to scan it for malware, trojans etc.
This is what I found- 2 security vendors have flagged this file (the app) as malicious, it's a Trojan, a variant of Android/Oji.G.
I decompiled the app using Java Decompilers online to read its source code.
The app uses certain permissions when installed on your Android Device-
Access Network State
Read Phone State
Access Coarse Location
Access Fine Location
Read Phone Numbers
Access WiFi state & much more...
File type Android
Magic Zip archive data
TrID Sweet Home 3D design (generic) (67.7%)
TrID ZIP compressed archive (25.8%)
TrID PrintFox/Pagefox bitmap (640x800) (6.4%)
File size 3.65 MB (3828487 bytes)
I searched for the unknown phone number's OSINT (Open Source Intelligence Data) using a tool named PhoneInfoga, but the tool results suggested the number isn't valid.
The next day on 1st June 2021, I visited the GitHub repository again at 20:41 IST & I found that the hacker has uploaded a new app on his GitHub repository and has also updated the link on his GitHub hosted fake CoWin website.
Here's the repository & the app link-
On 2nd June 2021, the hacker has deleted his website and the GitHub repository and also his account but here's the twist- the phone number which he used to send me the message turned active, the OSINT tool PhoneInfoga suggests so in its search results.
Now, I don't know whether this is the number of the real hacker or he's using someone's else number- let me explain, this malicious app uses the above-mentioned permissions & sends fake vaccination messages to Contacts saved in the smartphone. I have also checked the number on WhatsApp & it's active with a visible profile picture. According to some blog posts, it sends malicious SMS only to JIO numbers.
Beware of this kind of fake COVID-19 vaccination messages, please share this blog post for awareness. Thanks for reading, have a nice day!