SMiShing is a type of social engineering technique that traps users by requesting them to reveal sensitive information which can be used for nefarious purposes or for simply making money. SMiShing has become very popular among attackers as it does not cost much for them and at the same time can be used to target many users. To reach their victims they have started using FREE Messaging Apps as the medium. This blog will get into the nuances of one such SMiShing attack. 

Recently, one of our colleagues received a WhatsApp SMiShing message to make money online as shown in Figure 1.

Figure 1: Spam WhatsApp Message

Upon clicking the link shown in Figure 1, the user is redirected to a website as shown in Figure2. This message prompts the user to download “EarnMoney_wa_3011.apk” which is actually a malicious app.

Figure 2: Phishing Link for EarnMoney_wa_3011.apk

The “EarnMoney_wa_3011.apk” app installs in the name of “Make Money” as shown in Figure 3.

Figure 3: Make Money App Icon

Figure 4 shows the app image on the device after successful installation.

Figure 4:  Make Money App

This app then proceeds to collect the user information like mobile operator, country, sim state, sim serial number, voice mail number as shown in Figure 5.

Figure 5:  Code for Retrieving Mobile Network Details

The purpose of this app is to display ads as shown in Figure 6.

Figure 6:  Code for Ad Related Information

It then sends all the user information collected to the C2 server as shown in Figure 7.

Figure 7: C2 Communication

These apps for now are just ad scammers which are used for generating revenue.

We therefore recommend users to avoid believing in such false messages and break the chain in spreading these fake apps. Also, K7 users are protected from such scams as well. Users are therefore advised to stay protected by installing “K7 Mobile Security” on their devices and keep it updated. Also regularly scan your devices with the same to keep your devices safe.

Indicators of Compromise (IoCs)

Package Name: EarnMoney_wa_3011.apk

Hash: d5310d119b1ae688315422b792fa6ae4

K7 Detection Name:  Trojan ( 0001140e1 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “WhatsApp SMiShing Attacks on Indian Users”