COVID-19 has put India on the radar these days due to the increasing number of victims affected by the same. Due to the lockdown imposed by the government, most of the Indians have been asked to stay at and work from home. Due to this, most of them have to rely on their smartphones for their basic necessities as well. All this requires very good internet access and speed. Spammers are taking advantage of this and are attracting users by pretending to be offering free internet, when actually they would be generating revenue through advertisements displayed to the users who accept their offer. In this blog, we would be talking about such spam.
Some of our Android customers reported that Jiooffers.apk had been flagged as a malware by our K7 Mobile Security – Android product . Upon further investigation, it was seen that this app was installed from an external link received via SMS. Fake Jio apps have been seen in the wild for quite some time since mid 2019, but the fact that the Fake Jio URL and the malware APKs are still active and evolving is interesting to analyze.
These fake Jio apps spread via smishing messages that read “BREAKING NEWS!! Reliance Jio is giving free 25GB Data Daily for 3-Months Download the app now and Register to activate offer. Link: http[:]//tiny[.]cc/Jio”
When the user clicks on the link, the user is redirected to a website as shown in Figure 1, from where the user can download the fake Jio APK.
At the time of writing this blog, these apps were observed to do nothing more than displaying advertisements to the users and collecting their phone numbers. Let us get into the nuances of Jiooffers.apk. Once installed, the fake Jio app displays a message to the user and collects the victim’s phone number as shown in Figure 2.
Phone number entered by the victim is validated to be an active Jio user by submitting the phone number to the URL “https://www.jio.com/JioWebService/rest/JioRechargeService/submitNumber” and verifying the response from the URL.
This fake app further spreads by collecting the contact information from the victim’s device and forwarding a text message to all of the Jio numbers in the victim’s contact list after verifying if a contact from the list is a Jio number as shown in Figure 3.
With these contact details, this app then sends out smishing messages with a download link as shown in Figure 4.
As mentioned earlier, these fake apps are updated regularly and the recent fake app PrimePack_v2.apk available from “tiny.cc/JIO” carries the SMS message to be sent in 3DES encrypted format, which is decrypted and sent to Jio users in the contact list as shown in Figure 5 and the modus operandi being the same as in the previous cases.
These fake apps for now are just ad scammers which are used for generating revenue by spreading fake news about the internet availability at this critical time where work from home is under the spotlight for which the internet is the breath.
We recommend users to avoid believing in such false messages and break the chain in spreading these fake apps.
Indicators of Compromise (IoCs)
Package name | Hash | Detection Name |
JioOffers.apk | 8e2730011e46c2b132a1814ac21024ca | Trojan ( 0054ca651 ) |
PrimePack_v2.apk | B392D35E2EFF810193398A8B1148D7C6 | Trojan ( 005626f81 ) |