Threat Research

Beware: Malicious Android Malware Disguised as Government Alerts.

admin

Android devices are being targeted by an info‑stealer distributed via WhatsApp messages that impersonate traffic authorities and trick users into installing a malicious APK named “Vahan Parivahan.” Once installed, the app requests SMS/contacts/phone permissions, hides itself, harvests device, SIM, contact and SMS data, exfiltrates it to a Telegram bot, and sends SMS messages for billing fraud. #VahanParivahan #Android.SMSthief.A

Keypoints

  • Attack vector: phishing-style WhatsApp messages impersonating Pimpri‑Chinchwad and Chandigarh traffic police lure victims to download an APK named “Vahan Parivahan.”
  • Malicious APK details: app name VAHAN PARIVAHAN, package shd.ske, MD5 a5765ba70f06b2be056dc3df6270de32.
  • Permission abuse: requests dangerous permissions (SEND_SMS, READ_PHONE_STATE, RECEIVE_SMS, READ_CONTACTS) and asks to become the default SMS app to intercept messages.
  • Data collection: harvests device and SIM info (manufacturer, model, OS, battery, subscription details), device contacts, and received SMS content via a BroadcastReceiver.
  • Exfiltration and C2: collected data and files (e.g., Contacts.txt) are sent to a Telegram bot using the Telegram Bot API and a Firebase Realtime Database is used to retrieve SMS targets/messages.
  • Billing fraud: the app automatically sends SMS messages to numbers obtained from Firebase, causing unauthorized charges without user knowledge.
  • Detection and mitigation: Quick Heal detects variants as Android.SMSthief.A; users should avoid unknown links/APKs and restrict app permissions.

MITRE Techniques

  • [T1566.001] Spearphishing Link – Delivery via WhatsApp messages impersonating traffic authorities that include a link to download an APK (‘requests for the recipient to download an application called “Vahan Parivahan.”’).
  • [T1204.002] User Execution: Malicious File – The campaign relies on users downloading and installing a malicious APK to execute the payload (‘the linked APK file contains malicious software’).
  • [T1105] Ingress Tool Transfer – Transfer of the malicious APK to the device from a remote URL delivered through messages (‘request for the recipient to download an application… linked APK file’).
  • [T1056] Input Capture – Interception of incoming SMS by registering as the default SMS app and using a BroadcastReceiver to read sender and message body (‘it gains the capability to register a broadcast receiver… the malware extracts the sender information and the SMS body’).
  • [T1082] System Information Discovery – Collection of device and SIM details (manufacturer, model, OS version, subscriptions) from MainActivity for exfiltration (‘gather comprehensive device information… including the manufacturer, model number, Android OS version’).
  • [T1041] Exfiltration Over C2 Channel – Staged data (Contacts.txt, SMS, device/SIM info) sent out via Telegram Bot API to a controlled chat (‘sends the collected data to a Telegram bot using the Telegram API’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Use of HTTPS APIs (Telegram API and Firebase Realtime DB) for command/data retrieval and exfiltration (‘https[:]//hookuptolookup-default-rtdb[.]firebaseio.com… https[:]//api[.]telegram[.]org/bot…/sendDocument’).

Indicators of Compromise

  • [File hash] Malicious APK – a5765ba70f06b2be056dc3df6270de32
  • [Package name] Malicious app identifier – shd.ske
  • [Telegram credentials] Exfiltration endpoint and bot – Bot ID 6915291812:AAEeu3kUcEshFc3LgD4x_9qw6bpKwwQy1tw, Chat ID 1002118750305
  • [URLs] C2 / infrastructure – https[:]//hookuptolookup-default-rtdb[.]firebaseio.com/-1002118750305/<message_thread_id>.json, https[:]//api[.]telegram[.]org/bot6915291812:AAEeu3kUcEshFc3LgD4x_9qw6bpKwwQy1tw/sendDocument (and sendMessage endpoint)

The technical procedure begins with social engineering: actors send WhatsApp messages resembling official traffic department alerts that include a download link for an APK named “Vahan Parivahan.” Once the APK is installed, it requests and obtains high-risk permissions (SEND_SMS, RECEIVE_SMS, READ_PHONE_STATE, READ_CONTACTS) and prompts to become the default SMS app so it can register BroadcastReceivers and intercept incoming messages.

After gaining permissions, the app hides its launcher icon and performs local data collection: it enumerates device/system information (manufacturer, model, Android version, battery status), enumerates active subscriptions/SIM details (subscription ID, carrier, phone number), and queries the Contacts content provider to extract contact IDs, display names and phone numbers. The onReceive logic processes SMS broadcast intents to extract sender and message body for further handling.

For command-and-control and exfiltration, the malware uses Firebase Realtime Database to pull targets and message bodies and uses the Telegram Bot API to push collected artifacts (e.g., Contacts.txt) to an attacker-controlled chat. It also autonomously sends SMS messages to numbers retrieved from Firebase, enabling billing fraud. Artifact identifiers include package shd.ske and MD5 a5765ba70f06b2be056dc3df6270de32; telemetry endpoints include the listed Firebase and Telegram API URLs and the Telegram bot/chat IDs.

Read more: https://blogs.quickheal.com/beware-malicious-android-malware-disguised-as-government-alerts/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint