PlayCloak: A Play Store–Distributed Travel Utility Covertly Operating as a Financial Fraud and Cybercrime Platform – CYFIRMA

MITRE Techniques

• [T1660 ] Phishing – Promoted via social media and ads to lure users into installing and using the app for loans (‘actively promoted on social media platforms, including YouTube’)
• [T1603 ] Scheduled Task/Job – Persistence or delayed activation mechanisms used to defer malicious behavior until runtime (‘delaying malicious behavior until runtime and selectively activating functionality based on device attributes and region’)
• [T1628 ] Hide Artifacts – Techniques used to conceal code and behavior through obfuscation and encrypted strings (‘aggressive obfuscation and runtime string decryption to conceal operational logic and evade static analysis’)
• [T1628.002 ] User Evasion – Region-based cloaking to present benign functionality to non-targeted users while activating malicious flows on targets (‘When the app detects non-Indian devices, the application behaves as advertised… on devices identified as Indian, the application bypasses its stated functionality and instead presents a loan workflow’)
• [T1406 ] Obfuscated Files or Information – Use of XOR-based string encryption and randomized class/method names to hinder analysis (‘heavy use of string encryption and obfuscation… class and package names are composed of seemingly random characters’)
• [T1417 ] Input Capture – The app presents login screens and captures user input as part of the loan workflow (‘Upon launching the application, it immediately presents a login screen’)
• [T1418 ] Software Discovery – The app enumerates device attributes and environment to determine targeted behavior (‘selectively activating functionality based on device attributes and region’)
• [T1426 ] System Information Discovery – Collection or detection of system-level details to support region-based behavior and targeting (‘region-based behavior switching’ and SDK targeting to ensure broader device coverage)
• [T1422 ] Internet Connection Discovery – The app queries remote configuration and checks connectivity to load WebView content (‘issues a GET request to https://h5.hicas.tech/domain.json to retrieve additional runtime configuration’)
• [T1414 ] Input Capture – Capturing of user-provided data through forms or WebView for loan processing and potential misuse (‘delivers the complete loan workflow through a remote WebView… including login and borrowing features’)
• [T1636.003 ] Contact list – Explicit contact harvesting and serialization of contact entries for likely transmission to backend (‘collects the total number of contacts from the device, processes the contact list, and serializes the data into a JSON object’)
• [T1437 ] Application Layer Protocol – Use of web protocols and remote-hosted WebView content to deliver primary malicious functionality (‘delivers the complete loan workflow through a remote WebView’ and ‘loads a dynamic WebView from cdn.hicas.tech’)
• [T1437.001 ] Web Protocols – Reliance on HTTP(S) to fetch remote UI assets and configuration (‘loads UI resources such as JavaScript, CSS, and images at runtime’ from cdn.hicas.tech and config endpoints)
• [T1521 ] Encrypted Channel – Use of encrypted channels for remote configuration and backend communications (‘GET request to https://h5.hicas.tech/domain.json’ and other HTTPS endpoints)
• [T1481 ] Web Services – Use of web services and remote hosting (CDN, object storage, vercel) to serve dynamic loan UI and APIs (‘remote configuration hosted at in-h5.oss-ap-southeast-1.aliyuncs.com/hosts/hicas/config.json’ and ‘bksn515.vercel.app/hosts/hicas/config.json’)
• [T1646 ] Exfiltration Over C2 Channel – Packaging and likely transmission of harvested contacts and data to backend C2 infrastructure (‘structured output is indicative of intentional contact enumeration and packaging, likely for transmission to a remote backend’)