Keypoints
- The campaign evolved from development to expansion and then active stages, producing 800+ malicious apps and infecting 3,700+ Android devices.
- The malware is offered as Malware-as-a-Service (MaaS) by ELVIA INFOTECH, with buyers receiving apps that include expiration/payment mechanisms.
- Operators distribute numerous unique phishing pages (100+ URLs) and C2 endpoints (100+ URLs), enabling independent scam operations per buyer.
- Malicious apps impersonate legitimate services (couriers, utilities, hospital bookings) using deceptive file names and icons to induce installation.
- Technical behavior: apps load phishing web pages on launch, request SMS permissions, run a background service to monitor/forward SMS (including OTPs) to C2 servers.
- McAfee detects the threat as Android/SmsSpy; the report includes multiple SHA256 hashes, phishing URLs, and C2 server endpoints as IOCs.
MITRE Techniques
- No MITRE ATT&CK techniques were explicitly mentioned in the article.
Indicators of Compromise
- [File Hashes] sample malicious APK SHA256 hashes – 092efedd8e2e0c965290154b8a6e2bd5ec19206f43d50d339fa1485f8ff6ccba, 7b1f692868df9ff463599a486658bcdb862c1cf42e99ec717e289ddb608c8350, and 6 more hashes
- [Phishing URLs] phishing pages hosted on legitimate platforms (Wix, etc.) – hxxps://bijlipayupdate[.]wixsite[.]com/my-site, hxxps://couriers9343[.]wixsite[.]com/courier/, and 4 more URLs
- [C2 Server URLs] command-and-control/data endpoints used to retrieve configuration and receive exfiltrated SMS – hxxps://courier[.]elviainfotech[.]cloud/pages/phone[.]json, hxxps://forexroyality[.]online/complainf13/My_File[.]txt, and 4 more URLs
- [File/App Names] deceptive APK/file names used to entice installs – CustomerSupport.apk, Mahavitaran Bill Update.apk (also names like Appointment Booking.apk, Emergency Courier.apk)
The malicious workflow begins when a user installs an app that mimics legitimate services; on launch the app immediately loads an embedded or remote phishing web page that impersonates courier, utility, or hospital service sites to collect user inputs (name, address, phone, bank card details, passwords). Those pages are hosted on legitimate platforms (e.g., Wix) and vary per app, allowing different buyers to deploy unique phishing URLs. The apps use deceptive icons/names like “Customer Support” or “Blue Dart” to increase installation rates.
Upon first run the apps request SMS-related permissions; if granted, they start a background service that monitors incoming SMS messages and forwards their contents (including OTPs) to phone numbers or endpoints supplied by the C2 server. The malware retrieves configuration and C2 details from hosted endpoints (examples include adn-reg[.]com/data[.]json and courier.elviainfotech[.]cloud/pages/phone[.]json) and then exfiltrates collected credentials and SMS messages to those endpoints, enabling attackers to bypass OTP protections and perform fraudulent bank transactions.
This threat is delivered and monetized via a MaaS model: ELVIA INFOTECH develops, updates, and sells prepackaged malicious APKs and phishing sites (with expiration/payment controls) through channels such as Telegram, enabling multiple independent scammers to operate using distinct phishing and C2 URLs. The report provides SHA256 hashes, sample phishing URLs, C2 endpoints, and representative app names as IOCs for detection and hunting.