In the recent past, we came across several Android malware incidents wherein Indian banking users were being deceived promising rewards for their cards. Recently, we came across a tweet that pointed to a Phishing URL which, on click, downloads an Android application, targeting users of another Indian bank.
Phishing URL is shown in Figure 1.
Clicking on the button, “Download application”, it downloads an APK, “HDFC_Credit_Card.apk” (packagename : com.credit.hdfccredit).
When installed HDFC_Credit_Card.apk takes the label “HDFC Credit Card” and the bank’s logo as shown in Figure 2.
This app collects user data like credit card details, email address, phone number, etc., along with the minimal required permissions (no other permissions requested/registered dynamically) to:
Also, this app has registered a receiver in AndroidManifest.xml, “com.credit.hdfccredit.SmsRec” with the permission “android.permission.BROADCAST_SMS” and attribute “exported:true” that raises the suspicion that another linked malicious app could use this HDFC_Credit_Card.apk for data exfiltration as shown in Figure 3.
Let’s now begin the app analysis.
After installation when the user launches the app, it collects the information and saves in the shared preferences as shown in Figure 4.
Once the user feeds in the data, it displays a timer screen that encourages the user to “Redeem Point in Cash Or Voucher after time out” as shown in Figure 5.
As aforementioned, this app’s registered receiver class, “com.credit.hdfccredit.SmsRec” is triggered whenever there is a broadcast for a new SMS received.
During the attempt of collecting the user information, the app confirms that it has the permission to “android.permission.RECEIVE_SMS”. Once confirmed it invokes the service “SmsProcessService” which in turn registers the “com.credit.hdfccredit.SmsRec” class again as shown in Figure 6 and Figure 7.
Once registering the receiver “SmsRec” class is done (apart from the initial registration in AndroidManifest.xml), in the event of any new SMS received, the sms content including the phone number and message body is saved in the shared preferences as shown in Figure 8.
As highlighted in the Figure 8, once the SMS content is successfully saved as per the defined data model, the app redirects the user to the link, “hxxp://updateyourcard.in/” which is the phishing page that we visited in the beginning.
This goes to show that Phishing links are still relevant as an infector vector and asusers we need to be vigilant before giving away any information online and cross-verify with the financial institution, if any bank related details are to be shared.
Package Name: com.credit.hdfccredit
K7 Detection Name: Trojan ( 0001140e1 )