As always, hackers utilize all possible roads to get to their destination. Latest news in this Covid-19 pandemic being, oxygen supply scarcity and staying safe, hackers have taken this route now to spread their fake oximeter apps and lure the victims into installing an Android Banking Trojan. 

These fake oximeter apps target Indian users, let us see how one such app works. 

Analysing one of the fake oximeter apps, “Oximeter O2” revealed that, this app 

  • Masquerades as blood oxygen saturation level checker app 
  • Spreads via SMS and WhatsApp spamming out malicious links to the members in the contact list,  hxxps[://mega[.nz/file/Zhh0RSJQ#81GUF7ruoEv9itdyh_kswLlBYWoAe0TwMLt4MTM9V4g 
  • Specifically targets Indian users, as it prepends “+91” with the numbers in the contact list to verify if the contact has WhatsApp installed
  • Downloads the sample “Oxygen Saturation Checker.apk” from the above link which is the Anubis Banking Trojan for Android 

Once installed the “Oximeter O2” app looks as shown in Figures 1 & 2.

Figure 1: Oximeter O2 app in the app drawer
Figure 2: Permissions requested by the fake app

When launched, it brings up the WhatsApp media forward screen and informs the victim that the contact (from victim’s contact list) is not on WhatsApp and to add the contact as shown in Figure 3. 

Figure 3: Fake app’s request to add the contact to WhatsApp

It is to be noted from Figure 3 that it is prepending “+91” to the numbers in the contact list to confirm if the contact is on WhatsApp or not, indicating that this fake app targets the Indian users. 

However, if the contact is added to WhatsApp or already present on WhatsApp, it forwards the same download link as shown in Figure 4. 

Figure 4: Malicious link sent to the WhatsApp contacts

If the contact is not on WhatsApp, it forwards an SMS with the malicious link to download the same app as shown in Figure 5. 

Figure 5: Malicious link sent via SMS

Downloaded Banking Trojan

When the downloaded sample “Oxygen Saturation Checker.apk” is executed, it installs as “COVID-19 DESTEK” as shown in Figure 6

Figure 6: COVID-19 DESTEK

and it asks for a set of permissions to 

  • send and view SMS
  • make calls
  • fetch location information
  • read contacts 
  • access external storage 

and other capabilities as listed below to 

  • record audio
  • full network access
  • retrieve and kill running apps
  • close other apps
  • run at startup
Figure 7: Permissions and other capabilities requested by the payload (Banking Trojan

As any other Banking Trojan, this malware steals banking credentials, OTP SMSes and forwards these to the hacker. For further reading on Banking Trojans, please refer to our previous blog post.

Recently, we are witnessing an increased number of attacks via SMS or WhatsApp messages with links targeting Indian users. We strongly recommend users not to click these links and also not download apps from any other source or URLs apart from the official Google Play Store. Also our readers are recommended to install a reputed security software like K7 Mobile Security to stay safe against such attacks.

Indicators Of Compromise (IOCs)

Downloader samples

App NamePackage Name MD5K7 Detection Name
Oximeter O2com.body.saturation.oximetero284684e063b664aa2d1b8c5441d1fb1b9Trojan ( 0001140e1 )
Oximeter-Hcom.vphealthy.oximeter408373dab2fc8d72f58a0b2aa468a1c8Trojan ( 0053576b1 )
OXI tracker com.blt.oximeteracd1ef25823bbfee1162489c54df4c46Adware ( 0052d5ec1 )

Downloaded file

App NamePackage Name MD5K7 Detection Name
COVID-19 DESTEKjnised.vpudbr.ifxvyx7f62b553f3d9a9e28d7831d83eb06663Trojan ( 005768471 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Hackers’ breathe on Fake Oximeter apps now!”