Threat Research

BEWARE: Fake Applications are Disguised as Legitimate Ones

Securonix

The article explains how threat actors use fake applications impersonating trusted brands (notably IRCTC) to deceive users into downloading spyware, with social engineering and phishing as core tactics. It analyzes an IRCTC advisory, details the spyware’s capabilities, and provides safety tips to avoid falling prey to these counterfeit apps. Hashtags: #IRCTC #AndroidSpyNoteGEN

Keypoints

  • Fake apps imitate trusted apps or brands to lure users into installing malicious software.
  • The IRCTC fake app is spyware designed to spy on victims and exfiltrate data.
  • It can steal Facebook and Google credentials, and use accessibility to extract Google Authenticator codes.
  • It can track GPS/network location, use the Camera API to record/send videos, and gather installed apps information.
  • Collected data is sent to a C2 server, with obfuscation used to hide the host.
  • The distribution relies on phishing sites and mass messaging, impersonating IRCTC officials; users are advised to download only from official stores.

MITRE Techniques

  • [T1566.001] Phishing – The malicious Android app is hosted on a phishing website and circulated via instant messaging to trick victims into downloading and revealing data. Quote: “It has been reported that a malicious Android application (irctcconnect.apk) hosted on a phishing website (https://irctc.creditmobile.site) is being circulated over instant messaging platforms e.g., WhatsApp, Telegram, etc.”
  • [T1125] Video Capture – The spyware uses the Camera API to record and send videos. Quote: “Using the Camera API to record and send videos.”
  • [T1056.003] Input Capture – The app uses accessibility to extract codes from Google Authenticator. Quote: “Use accessibility to extract codes from Google Authenticator.”
  • [T1518] Software Discovery – It gathers installed applications’ information on the mobile device. Quote: “Gather Installed Applications’ Information on the mobile device.”
  • [T1041] Exfiltration Over C2 Channel – The malware sends all collected information to a C2 server. Quote: “Send all collected information to a C2 server, after which it can obfuscate to hide the host.”
  • [T1552.001] Credentials in Web Services – It can steal Facebook credentials. Quote: “Stealing Facebook credentials.”
  • [T1027] Obfuscated/Compressed Files and Information – It can obfuscate to hide the host. Quote: “obfuscate to hide the host.”

Indicators of Compromise

  • [Domain] Phishing host – irctc.creditmobile.site
  • [Hash] MD5 – 45c154af52c65087161b8d87e212435a
  • [Hash] MD5 – c01566f5feb7244ed4805e2855ebdc400
  • [Hash] MD5 – c77435e6e77152d24e86eb75e1f04d75
  • [Filename] – irctcconnect.apk

Read more: https://blogs.quickheal.com/beware-fake-applications-are-disguised-as-legitimate-ones/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint