Keypoints
- Initial distribution through WhatsApp messages urging users to download an APK under the guise of mandatory KYC verification.
- Users can bypass Android’s unknown-app install block by enabling “install unknown apps” for WhatsApp, allowing the malicious APK to install.
- The trojan abuses an SBI app icon and launches a locally hosted phishing page in a WebView to harvest credentials and extensive personal data.
- On first run the APK requests SMS-read permission (RECEIVE_SMS) to capture incoming OTPs, which are stored locally and forwarded to attackers.
- Collected data (personal details, account/CIF/PAN/Aadhar, card numbers, CVV, PIN) and intercepted SMS are exfiltrated to attackers via a Firebase websocket (wss) endpoint embedded in the APK.
- Static analysis shows the APK contains Firebase configuration and API key, and requires permissions including INTERNET, REQUEST_INSTALL_PACKAGES, RECEIVE_SMS, and ACCESS_NETWORK_STATE.
- Multiple file hashes and a consistent package name (hello.uwer.hello.hello.google.is.the.best) were identified as indicators tied to this trojan family.
MITRE Techniques
- [T1566] Phishing – WhatsApp messages are used to lure victims to download the malicious APK: ‘The initial lure is an alarming WhatsApp message prompting the user to download an Android Package (APK) to complete a mandatory verification procedure…’
- [T1204] User Execution – Social-engineering prompts cause users to enable installation from unknown sources and run the APK: ‘However, if users ignore the warning, they may deactivate this important security feature with just two clicks.’
- [T1056] Input Capture – The trojan requests and uses SMS-read permissions to capture incoming one-time passwords and messages: ‘the app has granted SMS reading permissions at the first execution… any received SMS message would also be exfiltrated to the attackers’ servers.’
- [T1567] Exfiltration Over Web Service – Collected credentials and SMS are sent to attackers using a Firebase websocket endpoint embedded in the APK: ‘wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb’
Indicators of Compromise
- [File Hash] suspicious APK hashes – 7cfc6360e69d22b09a28c940caf628959d11176e27b8a03e15b020b369569415, b067f5903e23288842ad056d4b31299b3b30052abe69bee236136b2b9fcab6a8, and 7 more hashes.
- [Package Name] malicious package – hello.uwer.hello.hello.google.is.the.best (used by multiple observed APKs).
- [Websocket / Host] abused Firebase host for exfiltration – wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb (socket used to transmit collected data).
The technical procedure begins with social-engineering via WhatsApp: attackers send an urgent message claiming a mandatory KYC verification and provide an APK link. If the user permits installs from unknown sources for WhatsApp, the APK can be sideloaded despite Android warnings. On installation the app masquerades with a banking icon (SBI) to reduce suspicion, and on first launch requests permissions including RECEIVE_SMS, INTERNET, REQUEST_INSTALL_PACKAGES, and ACCESS_NETWORK_STATE.
Once running, the malware loads a locally stored phishing site inside a WebView that mimics the bank’s net-banking UI (static hardcoded captcha) to collect username, password, phone number, DOB, account/CIF/PAN/Aadhar numbers, and card details (number, CVV, PIN). The app records incoming SMS messages (to capture OTPs), saves them locally, and forwards them to attackers through an established websocket connection to a Firebase realtime database instance; the Firebase configuration and API key are embedded in the APK.
Static analysis confirms the package name hello.uwer.hello.hello.google.is.the.best and multiple SHA-256 hashes for observed samples. The exfiltration channel is a wss Firebase endpoint (wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb). Detection and prevention focus points are denying unknown-source installs, refusing SMS permissions for non-messaging apps, and blocking or analyzing APKs that request RECEIVE_SMS and REQUEST_INSTALL_PACKAGES.