Advisories

1.0 Introduction

Recently, MyCERT has been aware of a new campaign launched from The APT36 hacking group, also known as 'Transparent Tribe,' targeting Android users in India and Pakistan using clones YouTube application. 

That clone YouTube app to infect devices with their signature remote access trojan (RAT), 'CapraRAT.' Once the malware is installed on a victim's device, it can harvest data, record audio and video, or access sensitive communication information, essentially operating like a spyware tool.

The malicious APKs are distributed outside Google Play, Android's official app store, so the victims are most likely socially engineered to download and install them.

The APKs were uploaded to VirusTotal in April, July, and August 2023, with two of them being called 'YouTube' and one 'Piya Sharma' associated with the channel of a persona likely used in romance-based tactics.

Figure 1: The interface of the malicious apps attempts to imitate Google's real YouTube app, but it resembles a web browser rather than the native app due to using WebView from within the trojanized app to load the service. Also, it misses several of the features available on the actual platform.

2.0 Impact
Once the CapraRAT is up and running on the device, it performs the following actions:

• Recording with the microphone, front & rear cameras
• Collecting SMS and multimedia message contents, call logs
• Sending SMS messages, blocking incoming SMS
• Initiating phone calls
• Taking screen captures
• Overriding system settings such as GPS & Network
• Modifying files on the phone's filesystem

Figure 2: Screenshot during installation, the malware apps request numerous risky permissions, some of which the victim might treat without suspicion for a media streaming app like YouTube.

3.0 Affected Products
Android mobile devices

4.0 Recommendations
To protect your personal data and privacy, it is imperative that you take the following actions immediately:

• Avoid Third-party App Stores: Download apps only from trusted sources, such as Google Play, to minimize the risk of downloading malicious applications.
• Verify App Permissions: Review the permissions requested by an app during installation. Be cautious if an app requests unnecessary permissions.
• Keep Software Updated: Ensure your Android device's operating system and apps are up-to-date with the latest security patches.
• Security Software: Install reputable antivirus or anti-malware software to detect and remove threats on your Android device.
• Regular Backups: Regularly back up your data to prevent data loss in case of an attack.
• Exercise Caution: Be vigilant when downloading apps, especially if they are outside of official app stores. Avoid clicking on suspicious links or downloading attachments from unknown sources.

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please get in touch with MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.bleepingcomputer.com/news/security/apt36-state-hackers-infect-android-devices-using-youtube-app-clones/

https://www.techworm.net/2023/09/hacker-fake-youtube-apps-android.html

https://www.linkedin.com/pulse/transparent-tribe-utilizes-counterfeit-android-youtube?trk=article-ssr-frontend-pulse_more-articles_related-content-card

https://www.securityweek.com/pakistani-apt-uses-youtube-mimicking-rat-to-spy-on-android-devices/

1.0 Introduction

Recently, MyCERT has been aware of an malware campaign targeting Android users using messages that are being circulated on WhatsApp and other major messaging platforms that promise to provide a new color theme for WhatsApp. 

Disguised as an official update for the chat app, the “WhatsApp Pink” theme is in reality a variant of a wormable malware that spreads through WhatsApp and lures the prospective victims into downloading an app from a website masquerading as Google Play.

WhatsApp Pink is an updated version of the WhatsApp auto-reply worm that surfaced in January 2021. It seems to have been first spotted in India, where it was shared in various massive chat groups on popular instant messaging services. The Trojan’s updated version doesn’t auto-reply just to WhatsApp messages, but also to messages received on other instant messaging apps, which could be the reason for its apparent wider spread.

Figure 1: Screenshot from WhatsApp message stating “New Pink Look Whatsapp Officially Launched with Extra Features Must try this. hxxp[://lookpink.xyz/?whatsapp”. Upon clicking the link, WhatsappPink.apk is downloaded.

2.0 Impact
The malware Trojan identified by ESET products as Android/Spams.V automatically replies to messages received in apps such as WhatsApp, WhatsApp Business, Signal, Skype, Viber, Telegram, and one of the various unofficial, third-party versions of WhatsApp, with a link to a website from which it, the Trojan, can be downloaded.

In general, below are some possible impacts of installing unofficial applications in your devices:

• Misuse of contact numbers and pictures saved in mobile
• Financial loss
• Misuse of your credentials
• Lose control over your mobile
• Spam messages

3.0 Affected System and Devices
Android mobile devices.

4.0 Technical Details
Installing the downloaded APK didn’t show any visible suspicious behaviour, but analysing the app statically showed that the app looks for notifications from a predefined list of applications, including Viber, Telegram, WhatsApp, Skype etc., and auto responds to the sender with the reply “New Pink Look Whatsapp Officially Launched with Extra Features Must try this. hxxp[://lookpink.xyz/?whatsapp” for them to download the app, spreading like a worm. Unfortunately the link in the message was down at the time of writing this alert.

The predefined list of chat apps is as shown in Figure 2. 

Figure 2: Apps list hardcoded in the fake app

Chat apps in the list are: 

• com.viber.voip
• com.skype.raider
• com.skype.insiders
• org.thoughtcrime.securesms
• com.whatsapp.w4b
• com.whatsapp
• org.telegram.messenger
• com.gbwhatsapp
• com.whatsapp.plus
• com.og.whatsapp
• com.yowhatsapp
• com.retro.whatsweb
• com.FmWhatsApp

Also the app confirms if it has the permission to listen to the notifications by either verifying if it is listed under “enabled_notification_listeners” or by requesting for the permission as shown in Figure 3 and Figure 4. 

Figure 3: Verification of notification listener permission

Figure 4: Request for notification listener permission

Once the service is listed under notification listeners, the service starts and keeps monitoring for any posted notification. If any notification is posted, this app verifies if the notification is meant for any of the apps in the predefined list. If yes, it collects the phone number as shown in Figure 5. 

Figure 5: Collecting the phone number from notifications

After which it auto responds to the phone number using sendReply as shown in Figure 6. 

Figure 6: Sending auto reply to the notifications

Random_Message is the string variable that carries the message and the link to download malicious Whatsapp app.

Also, we noted that the malware author has not suppressed notifications or messages from those chat apps. Instead the spam message auto sent via notifications is visible to the user in the chat message screen of the sender. This suggests that the app could still be under the development stage or just a start of an attack as the app just auto replies to the notifications and no other malicious activities have been identified at the time of writing this blog. 

This attack may not sound new, however, users are falling prey to such attacks because of curiosity and eagerness to be trendy at the earliest. 

5.0 Indicators Of Compromise (IOCs)

URLs

hxxp[://lookpink.xyz/?whatsapp

hxxp[://whatsapp.profileviewz.com/?whatsapp

hxxp[://whatsapp.wwwy.xyz/?pinklook

6.0 Recommendations
If you downloaded “WhatsApp Pink” you can either remove it through Settings and the App Manager submenu or install a full-featured Android security solution that will scan your device and remove it automatically.

By way of prevention, there are several steps you can take to mitigate the chances of falling victim to similar schemes in the future:

• Never click on links or attachments that you received via an unsolicited message or from someone you don’t know
• Only download apps from official app stores, since they have rigorous approval processes in place
• Always use a reputable mobile security solution
• Be wary of what kinds of permissions you grant to applications

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

7.0    References
 

• https://twitter.com/MCMC_RASMI/status/1673496461462638592
• https://www.welivesecurity.com/2021/04/20/whatsapp-pink-watch-out-fake-update/
• https://www.welivesecurity.com/2021/01/26/wormable-android-malware-spreads-whatsapp-messages/
• https://www.androidheadlines.com/2023/06/whatsapp-malware-scam-pink-whatsapp-security-issues.html
• https://indianexpress.com/article/technology/tech-news-technology/what-is-whatsapp-pink-how-to-stay-safe-uninstall-whatsapp-pink-8686717/
• https://soyacincau.com/2023/06/27/what-is-pink-whatsapp-and-why-you-shouldnt-download-it-on-your-phone/
• https://labs.k7computing.com/index.php/never-ink-the-new-whatsapppink/
• https://twitter.com/androidmalware2/status/1672954200278401027?s=12&t=kRN4EjFob62Y9sG7arehOw

1.0 Pengenalan
Hasil pemerhatian MyCERT mendapati bahawa penjenayah siber telah mengeksploitasi aplikasi Android berniat jahat dalam kempen SMSSpy yang menyasarkan pengguna Internet di Malaysia, melalui dua kempen. Melalui kempen pertama, kaedah yang digunakan adalah dengan melakukan penyamaran sebagai agensi Penguatkuasaan Undang-undang (LEA) dan badan pengawal selia. Mangsa menerima panggilan telefon daripada LEA memaklumkan bahawa mereka mempunyai tunggakan kewangan bagi syarikat mangsa atau terlibat dalam sesuatu jenayah di mana pembekuan akaun kewangan mangsa akan dilaksanakan. Dalam hal ini, mangsa perlu membayar sejumlah wang untuk membatalkan tindakan pembekuan tersebut dan mangsa diarahkan untuk memuat turun satu aplikasi Android berniat jahat untuk menyelesaikan proses pembayaran.

Menerusi kempen kedua, kaedah yang digunakan adalah di mana pelaku cuba untuk mencuri maklumat peribadi perbankan mangsa melalui laman web palsu yang menyamar sebagai laman penyedia perkhidmatan yang sah. Selain itu, pelaku juga menggunakan iklan di Facebook untuk mempengaruhi bakal mangsa dengan memuat turun perisian jahat Android daripada laman web palsu. Hasil siasatan mendapati terdapat lapan laman web yang menyamar sebagai penyedia perkhidmatan, hanya di Malaysia: tujuh daripadanya ialah Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy, MaidACall dan MyMaidKL dalam bidang perkhidmatan pembersihan, dan kelapan ialah kedai haiwan peliharaan PetsMore. Untuk mengelabui bakal mangsa, pelaku membangunkan laman web palsu dengan menggunakan nama laman web yang hampir serupa dengan perkhidmatan yang sah.

2.0 Impak
Kehilangan wang dari akaun bank mangsa dan kecurian maklumat peribadi mangsa.

3.0 Sistem dan Perkakasan yang Terkesan
Android.

4.0 Amaran dan Nasihat Lain yang Berkaitan
Disertakan berberapa Amaran dan Nasihat yang dikeluarkan sebelum ini yang berkaitan dengan kempen SMSSpy, bagi rujukan pengguna internet:

• MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
• MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
• MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK

5.0 Petunjuk Tanda Pencerobohan (Indicator of Compromised)
Jadual 1: Senarai Petunjuk Tanda Pencerobohan bagi kempen yang menyasarkan Penguatkuasa Undang-undang.

Jadual 2: Senarai Penunjuk Tanda Pencerobohan bagi kempen yang menyasarkan Perkhidmatan Pembersihan – alamat IP.

Jadual 3: Senarai Petunjuk Tanda Pencerobohan bagi kempen yang menyasarkan Perkhidmatan Pembersihan – Hash value, laman (domain)

6.0 Cadangan
Aplikasi ini bertujuan untuk mendapatkan maklumat yang terdapat di dalam telefon bimbit mangsa yang boleh digunakan untuk tujuan jahat yang lain. Oleh itu, MyCERT menyarankan langkah-langkah penjagaan (amalan terbaik) seperti berikut:

• Sahkan kebenaran capaian aplikasi tersebut dan juga pemilik atau penerbit aplikasi sebelum memasangnya pada telefon bimbit anda. Pengguna Internet boleh rujuk kepada Cyber999, bagi mendapatkan maklumat tentang kebenaran atau kesahihan sesuatu aplikasi telefon bimbit.
• Sebaiknya elakkan dari pemuatan sisi (memasang aplikasi daripada sumber bukan rasmi). Jika anda perlu memasang perisian Android selain daripada sumber yang boleh dipercayai, pastikan ia datang daripada sumber yang mempunyai reputasi yang baik dan boleh dipercayai. Pengguna internet boleh rujuk ke Cyber999, bagi mendapatkan maklumat tentang kebenaran atau kesahihan sesuatu aplikasi telefon bimbit.
• Jangan klik pada adware atau URL yang mencurigakan yang dihantar melalui perkhidmatan SMS dan mesej. Pengguna Internet boleh melaporkan adware atau URL berkenaan ke Cyber999 bagi tindakan selanjutnya.
• Perisian berniat jahat boleh dikepilkan bersama semasa memuat turun sesuatu perisian yang tidak diketahui kesahihan dari internet, bagi mengumpul maklumat pengguna tanpa pengetahuan.
• Sentiasa menggunakan perisian anti-virus yang bereputasi di dalam telefon pintar/peranti mudah alih anda dan pastikan ia sentiasa dikemas kini.
• Sentiasa kemas kini sistem pengendalian dan aplikasi pada telefon pintar/tablet, termasuk perisian pelayar laman sesawang (browser), untuk mengelakkan sebarang eksploitasi ke atas kelemahan yang terdapat dalam perisian versi lama.
• Jangan melakukan system root atau 'Jailbreak' pada telefon anda.
• Hubungi pihak berkuasa yang berkaitan seperti Cyber999 untuk sebarang pertanyaan dan bantuan yang diperlukan berkaitan ancaman ini.
• Bagi pengguna Android, memuat turun aplikasi MyCERT - MASSA dari Google Play Store bagi mengesan dan membuang perisian kod hasad dan perisian pemuatan sisi.

Secara amnya, MyCERT menasihatkan pengguna untuk mengemaskini peranti berdasarkan pengumuman keselamatan terkini oleh penjual (vendor) dan mengikuti amalan terbaik berkaitan dasar keselamatan bagi memastikan hanya perisian yang kemas kini digunakan.

Bagi maklumat lanjut, sila hubungi MyCERT melalui saluran berikut:

Emel: cyber999[at]cybersecurity.my 
Telefon: 1-300-88-2999 (dipantau dalam waktu pejabat)  
Telefon bimbit: +60 19 2665850 (24x7 pelaporan insiden On-call) 
Waktu pejabat: Isnin - Jumaat 09:00 -18:00 MYT 
Laman sesawang:  https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

7.0 Rujukan

1. MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
   https://www.mycert.org.my/portal/advisory?id=MA-790.072020
2. MA-690.122017: MyCERT Alert - Fake PDRM Malicious APK
   https://www.mycert.org.my/portal/advisory?id=MA-690.122017
3. MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
   https://www.mycert.org.my/portal/advisory?id=MA-695.012018
4. MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK
   https://www.mycert.org.my/portal/advisory?id=MA-694.012018
5. https://www.virustotal.com/gui/ip-address/139.162.61.96/relations
6. https://www.virustotal.com/gui/file/fc9d34436b4711d6f586903d07a99b089ca5aa61f931febd57abba9a7135d98d/relations
7. https://twitter.com/esetresearch/status/1526440685460672512?s=24&t=xveoIxTaZLIdhpnzy-YSag
8. https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
9. https://play.google.com/store/apps/details?id=mycert.ctrc.massalite

1.0 Introduction
MyCERT observed cybercriminals had exploited a malicious android application in a SMSSpy campaign targeting internet users in Malaysia. The first campaign is leveraging on Law Enforcement Agency (LEA) and regulators. The target victim received a phone call from LEA informing them that they have arrears for their company or are subjected to crime and need to freeze their financial account. The victim will need to pay a sum of money to unfreeze the account and is instructed to download a malicious android application to complete the process of payment.

In the second campaign, threat actors attempt to steal financial credentials by using fake websites that pose as legitimate services, often outright replicating the original. In their effort, threat actors employ Facebook adverts to persuade potential victims to download Android malware from a malicious website. All eight websites impersonated services only in Malaysia: seven of them, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy, MaidACall and MyMaidKL, provide cleaning services, and the eight, PetsMore, is a pet store. To tempt potential victims, threat actors set up these websites using domain names similar to their impersonating services.

2.0 Impact
Financial lost and disclosure of personal information.

3.0 Affected System and Devices
Android.

4.0 Other related alert and advisories
Below are references of similar incidents:
• MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
• MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
• MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK

5.0 Indicator of Compromised
Table 1: List indicator of compromise for LEA campaign

Table 2: List indicator of compromise for cleaning services campaign – IP address

Table 3: List indicator of compromise for cleaning services campaign – Hash value, domain

6.0 Recommendations
The application is meant to retrieve information in victim’s phone and could be used for other malicious purpose. As CERT, we would highly recommend the followings:

• Verify an application permission and the application author or publisher before installing it.
• Avoid side loading (installing from non-official sources) when you can. If you do need to install Android software from a source other than the trusted marketplace, be sure that it is coming from a reputable source.
• Do not click on adware or suspicious URL sent through SMS/messaging services.
• Malicious program could be attached to collect user's information.
• Always run a reputable anti-virus on your smartphone/mobile devices, and keep it up to date regularly.
• Update the operating system and applications on smartphone/tablet, including the browser, in order to avoid any malicious exploits of security holes in out-dates versions.
• Do not root or 'Jailbreak' your phone.
• Contact relevant authorities such as Cyber999 for any inquiries and assistance needed related to this threat.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

7.0    References

1. MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
   https://www.mycert.org.my/portal/advisory?id=MA-790.072020
2. MA-690.122017: MyCERT Alert - Fake PDRM Malicious APK
   https://www.mycert.org.my/portal/advisory?id=MA-690.122017
3. MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
   https://www.mycert.org.my/portal/advisory?id=MA-695.012018
4. MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK
   https://www.mycert.org.my/portal/advisory?id=MA-694.012018
5. https://www.virustotal.com/gui/ip-address/139.162.61.96/relations
6. https://www.virustotal.com/gui/file/fc9d34436b4711d6f586903d07a99b089ca5aa61f931febd57abba9a7135d98d/relations
7. https://twitter.com/esetresearch/status/1526440685460672512?s=24&t=xveoIxTaZLIdhpnzy-YSag
8. https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
9. https://notes.netbytesec.com/2022/05/scam-and-malicious-apk-targeting.html
    

1.0 Introduction

On 29 November 2020, Jabatan Perlindungan Data Peribadi (JPDP) had released a press statement on receiving multiple reports on Unlicensed Online Loan Provider collecting and misusing personal data through mobile loan applications. With cooperation of JPDP, CyberSecurity Malaysia (CSM) and Suruhanjaya Komunikasi dan Multimedia (SKMM), an investigation paper had been opened under Seksyen 5 Akta Pelindungan Data Peribadi (PDPA act) on several online mobile loan application that operated by Unlicensed Online Loan Provider. 

2.0 Impact

These providers will access, copy, and illegally keep personal data belonging through mobile loan applications from debtors including unnecessary information without debtor consent.

The data collected are later possible to be used for harassment. The list of mobile loan applications identified in Google PlayStore are as follow (01/12/2020):

• iCredit App - mobileloan.mobile.loan
• iPinjaman - mobileloan.mobile.loan
• InRushTime Pte Ltd - com.ipayfren
• FastCash2U Pte Ltd - com.gocash4u
• SecureLend2U Pte Ltd - com.dreamlend
• Ezy-Loan Pte Ltd - com.helplend2u
• A-Lend - com.asialend

3.0 Malicious Functionality

Upon analysis that has been conducted on these mobile loan applications released by these loan providers, Analyst found that these mobile loan applications have invasive and extensive features that can violate victims' privacy and personal data such as:

• In-Application activity recording.
• Parse and upload contact information on the smartphones.
• Parse and upload call log history in smartphones.
• Acquiring smartphone GPS location.
• Acquiring smartphone network information
• Get photo count in the camera folder.
• Uniquely fingerprinting the smartphones.

Other than that, below is the supplement infomation collected from the victims for the loan application:

• Personal information.
• Bank account information.
• Social media account information such as Facebook account name.
• Supported documents such as copy of bank statement, copy of payslip, copy of identification card, copy of utility bill, applicant photo and applicant selfie video.

4.0 Affected System and Devices

These mobile loan applications is compiled to be run and executed in Android smartphones. Affected Android API level is:

• Android 10 - API level 29
• Android 9.0 Pie - API level 28
• Android 8.1 Oreo - API level 27
• Android 8.0 Oreo - API level 26
• Android 7.1 Nougat - API level 25
• Android 7.0 Nougat - API level 24
• Android 6.0 Marshmallow - API level 23
• Android 5.1 Lollipop - API level 22
• Android 5.0 Lollipop - API level 21

5.0 Technical Analysis

Analyst had identified several functionalities that suspected to be maliciously used in these mobile loan applications.

5.1 In-App Recording.

Once victims have established a session with the app, these applications can record victims activities within the app by using proprietary SDK to perform these tasks. As long victims are using the mobile application, video recording of victims' activities will be taken which include all user interaction and in-app activity.

5.2 Parsing and Upload Contact Information.

These applications can parse all the contact informations in victims' smartphones. This information will then be uploaded to scammer's back end server.