A Brief Overview of undanganpernikahan.apk
Recently, I received a phishing chat through WhatsApp with the pretext of a wedding invitation, which turned out to be an APK file
This phishing scheme has been occurring frequently and causing significant losses to the victims of this phishing. According to several sources, the ‘undanganapk’ files target Android users and require victims to install the application first. Subsequently, the victim’s information such as phone number and, if available, credit card details, is combined with the data received from the APK. This malware apk is used by attacker to set up a SMS and notification listener on the victim’s android phone, allowing the attacker to request OTPs from incoming messages and call and gain access to the OTPs required to perform transactions on several services using the victim’s credentials.
Although I am quite new to mobile app pentesting, I will attempt to conduct a static analysis to give understanding how the malware works, in order to describe how scammers carry out attacks on the wedding invitation APK phishing scheme.
Undangan Pernikahan Malware APK
When the application is installed on the device, it will not be visible on the Android app launcher, and this application has a strange icon and does not have a name when viewed in the app manager.
To determine the general purpose of this application, I performed scanning on VirusTotal and automatic analysis using MOBSF.
As when I checked on VirusTotal, it indeed detected the APK as SMS spyware
MOBSF
Testing on MOBSF failed to analyze this malware. This may be due to the structure of the APK intentionally obfuscated by the malware developer to evade detection as malware.
However, I found the presence of a Telegram API URL, which may serve as the API for forwarding SMS data received by the malware APK on the victim’s device to the scammer’s Telegram bot.
Code Overview
For my analysis, I only aimed to understand how this malware works and to gather information about the scammer.
When the source code of this wedding invitation application is opened using jadx, it is observed that the application has 7 main classes. However, for this discussion, I will focus on 4 classes: MainActivity, NotificationService, ReceiveSms, and SendSMS.
MainActivity Class
In the MainActivity, the main function is to send notifications, which are successfully listened to by the NotificationService class, to the Telegram API server. It requests SMS permission and also logs detailed information about the victim’s device for notifications to be sent to the scammer once the application is successfully set up on the victim’s device. This communication is carried out through the scammer’s Telegram bot API.
NotificationService Class
This class functions as a listener for notifications received on the mobile phone. From retrieved notifications,the app extract information such as the package name, notification title, text data in the notification, and notification ID are obtained.
Finally, it broadcasts the intent using the local broadcast manager, which allows components in the same app to communicate efficiently.
ReceiveSms Class
In this class, there is a function to receive all SMS messages, which consist of the sender and the content of the incoming SMS. It also retrieves detailed information about the victim’s device, which is then used to build a URL for sending SMS data, along with the victim’s device type, to the scammer’s Telegram bot API.
SendSMS class
This class has a function similar to the code in receiveSms, but the difference lies in the purpose of this function, which is to obtain information about incoming SMS messages and then send SMS messages using a number specified by the attacker.
Summary
From the main class at the beginning, it can be concluded that the scammer works by distributing the APK through any method, but many cases are found through WhatsApp media. Then, the attack target is continued to install this APK. If the victim installs this malware, the installed application will send notifications to the attacker through the Telegram bot API set up by the attacker to send information that the application has been installed on the target with detailed device information including SMS permissions whether allowed by the victim or not.
If the victim has allowed SMS permission and notification service access, then every time the victim’s device receives SMS and other notifications, this information will be forwarded to the scammer’s API bot, so that the scammer can receive all SMS and notification including incoming call on the victim’s device including OTPs usually used for scams. Then, the scammer can authenticate or do any transaction using the victim’s credentials in the form of a phone number and OTP. The information that the scammer can receive through the compromised victim’s phone includes:
- Incoming SMS on the victim’s phone including title, sender of the SMS, and SMS content
- Incoming Notification on the victim’s phone including title and notification content
- Details of the victim’s device, including the victim’s phone number, Android type, Android model, build number, and host device
- Installation notifications and permission allow status on the victim’s phone.
Penyerang banyak menggunakan backend api bot telegram karena setup bot telegram yang sangat mudah dan tidak diperlukan untuk melakukan hosting server sendiri, dikarenakan bot ini menggunakan server telegram yang akan sangat stabil dan aman dari pelacakan identitas pembuat bot
Prevention
- Having basic education about technology and system security including phishing modes, so that device users can distinguish between legitimate files and malware, only installing applications from trusted sources such as Google Play Store, Apple App Store, etc.
- Install reputable antivirus and antimalware software on your devices to detect and block malicious applications and phishing attempts. These security solutions can provide an additional layer of defense against evolving threats.
- Regularly update device’s operating system and applications to patch known security vulnerabilities. Updated software often includes security fixes that can protect against emerging threats.
- If the malware is accidentally installed, it can be uninstalled the on the device through the app manager in the device settings. Usually, the malware application does not have a name/icon.
Conclusion
this phishing application has already victimized many users and caused significant losses, especially among less tech-savvy individuals. When they see a wedding invitation chat or other phishing method, they may open the attachment without realizing that it is a malware application. As a result, the victims directly open the application, grant permissions, and are unaware that their phones have been compromised. Hence, there is a need for basic education on personal data security and prevalent phishing model to prevent such incidents.
