Foiling a Phishing Attack: My Experience

Published in

My InfoSec Write-ups

5 min readFeb 28, 2024

Few weeks ago, I encountered a suspicious message on WhatsApp prompting the installation of the Axis Bank Android application. I got curious and looked into it because it seemed f(Ph)ishy. Then I carefully examined how the app behaves and broke it down to see what’s inside. What I found is that the app has harmful intentions — it can spy on text messages and send stolen information through a Telegram bot. This blog explains how this phishing attack works, showing why it’s crucial to be careful when using mobile apps.

I’m pretty sure this is a Phishing attempt because of the following reasons:

1. The request to sideload the application contradicted standard banking procedures, raising suspicions regarding its authenticity.

2. The forwarded nature of the message and grammatical errors further underscored its dubious nature.

Initial Investigation:

To better understand the nature of this application, I conducted a preliminary scan using VirusTotal. The results revealed that the application was flagged as malicious, and its URLs were traced back to wuaze.com, a free web hosting service with PHP and MySQL, rather than Axis Bank’s official domains.. Additionally, the app was found to be communicating with api.telegram.org.

Detailed Analysis:

Further investigation involved decompiling the application using jadx and scrutinizing its permissions and packages. Decompilation of the application provided deeper insights into its workings, focusing on permissions and packaged components. Noteworthy permissions included the ability to receive SMS messages and access the internet.

The analysis also revealed specific packages such as abyssalarmy.smseye2 and com.pengrad.telegrambot

The presence of SMS spyware (SmsEye2), allowing attackers to monitor and transmit all incoming and outgoing SMS messages. The spyware achieves this by sending the captured data to an attacker-controlled Telegram bot.

To execute the attack, the attacker needs a Telegram bot token and ID, which are hardcoded into the application files (id.txt, token.txt, url.txt). The victim’s SMS data is then sent to the attacker’s Telegram bot. The attacker employs phishing tactics through a fake Axis Bank page (http://axisbankkyc.wuaze.com/) to collect sensitive information like login credentials, customer ID, password, and mobile number.

id.txt file contains attacker’s Telegram account numeric ID

token.txt contains the attacker’s Telegram bot token

url.txt file contains the url of the page that attacker wants to show up on startup

Phishing Mechanism:

Upon launching the URL/application, the phishing site is displayed, attempting to trick users into inputting sensitive information.

The phishing attempt orchestrated through the fraudulent application follows a systematic approach. Refer to below diagram.

Upon launching the application, the phishing site is displayed, attempting to trick users into inputting sensitive information.
The attacker uses this information to impersonate the user, triggering OTP requests on the victim’s mobile.
The infected mobile, already compromised with SmsEye2, sends the OTPs to the attacker-controlled Telegram bot.
The attacker completes the logon using stolen OTP to gain unauthorized access to victims’ accounts.

How to stay safe?

A lot of security problems happen because people aren’t aware of the risks in the digital world. We’re careful around strangers in real life, but we tend to forget to be just as cautious online. Staying safe online means doing things to protect yourself and paying attention to what’s going on.

Here are some simple things you can do to keep yourself safe.

Have Zero Trust on unknown things
Always be cautious of suspicious emails, links, and online interactions.
Refrain from sideloading applications onto your device. Install applications from Trusted sources such as Google Play Store.
Disable the option to “Install from unknown sources” in your device settings to prevent unauthorized installations.
Exercise caution when granting permissions to apps and scrutinize them carefully before installation.
Make sure a reliable antivirus is installed on your Android device.
Educate yourself and others on common cyber threats and best practices.
Be vigilant against cyber threats and avoid becoming a victim.
Promptly report any suspicious activities or encounters with cybercrime to local authorities or financial institutions.
Leverage tools like VirusTotal to assess the legitimacy and safety of files before downloading or executing them.

Google’s Security Shield: Fortifying Android Users Against Financial Fraud:

Google’s latest security blog post discusses piloting new measures to safeguard Android users from financial fraud. The post emphasizes Android’s commitment to openness, transparency, safety, and user choice, while acknowledging the need for sophisticated defenses in an open ecosystem. It highlights the enhanced real-time scanning capabilities of Google Play Protect, aimed at detecting and blocking malicious apps downloaded from non-Google sources. Additionally, it introduces a new pilot program in collaboration with the Cyber Security Agency of Singapore to combat financial fraud by automatically blocking the installation of apps requesting sensitive permissions frequently abused for fraud.

Conclusion:

This analysis emphasizes why it’s important to stay alert for phishing scams, be careful when installing apps from outside official sources, and pay attention to what permissions apps ask for. It’s just a small example of the big problem of cyberattacks happening all over the world. To stay safe, it’s important to stay updated and use safe practices to protect against these kinds of threats.

For the latest numbers and trends on phishing attacks, take a look at https://apwg.org/trendsreports/ and https://www.gasa.org/

References:

Note: I couldn’t conduct further analysis of the application’s URLs because the Axis Bank phishing site has been replaced with the homepage of Wuaze.