APKs/ Malware/ PUP (Potentially Unwarted Program) Based Crimes

APKs/ Malware/ PUP (Potentially Unwarted Program) Based Crimes

APKs/ Malware/ PUP (Potentially Unwarted Program) Based Crimes:

What is an APK file?
An APK file is an app created for Android, Google's mobile operating system. Some apps come pre-installed on Android devices, while other apps can be downloaded from Google Play. Apps downloaded from Google Play are automatically installed on your device, while those downloaded from other sources must be installed manually.

Typically, users never see APK files because Android handles app installation in the background via Google Play or another app distribution platform. However, there are many websites that offer direct APK file download for Android users who want to install apps manually themselves. In this case, you should be careful that you trust the source of the APK file, because malware can be distributed in APK files, just as it can in the case of Windows and .EXE files.

Present Case Study:
Bulk SMS are being circulated in large numbers, which read as follows –

“Congratulations on your low-interest loan of Rs 1,50,000, the loan has been approved, please click the link to get cash: https://bit.ly/30ny7IP” 
OR 
“The loan you applied for has been approved for Rs 1,50,000. Please apply for a loan within 24 hours, click for cash: https://bit.ly/2DAWvOa

Clearly, these act as “click-baits, for something more sinister. The message may lure users differently, but ultimate aim is to make users download these APKs. 

The shortened links "https://bit.ly/30ny7IP" and “https://bit.ly/2DAWvOa” resolved to links as shown below – 
https://api3w.ilovepdf.com/v1/download/5cjrzq96wg34f1dplldwt3yfvxm6ptw0pc7spdnm4x5d1qfvA2yyl8dk82595hknh9A94cx66hhz67x8617twrA3bp9q2tpml88fg3k1xjwk0flr66x37xrp50bnj24fy0xl3bvAdm59dcq9nnf5dbmpvhyy4h6f5d86lr4klfb3h6nl2sg1

and 

https://coinlke.com/smsvivo/sms7.html   

Both the links, prompt users to download and install APK named “VivoRupee.apk”, “OppoRupee” etc. The name of APKs are different, but underlying functionality remains the same. 

Lab Analysis of The APK:
We suspect that the APK to be either “malware” or PUA (Potentially Unwanted Application) / PUP (Potentially Unwanted Program). It is use as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the device’s security. 

Detailed analysis, shows the following: 
File Name: apk_opoprupee_2.apk
Package Name: com.rupee.samsuagrupee
Size: 10.12 MB
Files by Type contained in the APK included:

  • DEX (2) 
  • ELF (9)  
  • XML (242)  
  • PNG (371)  
  • UNKNOWN (376)

The APK seeks very intrusive permissions, including – 

  • Permission to read sensitive log data 
  • Permission to take videos and pictures 
  • Full internet access 
  • Read SD card contents 
  • Read / modify / delete SD card contents 
  • Directly call phone numbers 
  • Read contact data 
  • Read phone state and identity 
  • Read Bluetooth connections 
  • View network status 
  • View Wi-Fi status 
  • Coarse (network based) location 
  • Fine (GPS) location 
  • Change Wi-Fi status 

Anti VM Code:
To prevent LEAs from analyzing the code (APK) in safe medium like Virtual Machines and Genymotion, the APK contains an anti-VM package. 

Other Issues:

  • The APK logs very sensitive and confidential information including user name credentials of important websites like Facebook, Yahoo, Google Pay etc. 
  • The APK can read /write to external storage. 
  • The APK creates temp file. However, sensitive information should never be written in temp file. 
  • The APK copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it. 
  • Finally, the APK itself suffers from multiple vulnerabilities. 

Conclusion:
Installation of the APK can lead to catastrophic damage including financial losses, breach of privacy and espionage. The persons behind the whole operation, are using click-baits to make gullible people install the APK. 

In a society, where gullible citizens even part away with OTPs, UPI PIN etc making citizens install the APK in name of cash prize and instant loan are good enough click bait. Especially, when there is no apparent monetary loss in installation and grant of intrusive permission to the APKs. The degree of awareness regarding APKs still remains low in India. 

The Modus Operandi of criminals is not only sophisticated, which reeks of technical hands but the criminals are working together in highly organized and concerted manner to fleece the common man. It’s pertinent to mention here the following FIRs which have been lodged recently by CBI. 

https://economictimes.indiatimes.com/news/politics-and-nation/cbi-books-six-companies-for-installing-malware-on-peoples-computers/articleshow/78170043.cms - CBI books six companies for installing malwares on people’s computers. 

In times to come, as cyber crimes are getting sophisticated, these complicated cyber crimes will increase massively.