Beware of fraud apps leveraging Google Play Store for distribution

SonicWall Capture Labs threat research team has been regularly sharing information about the malware threats plaguing Android devices. SonicWall has tracked down another finance-based malicious app. The app until recently was distributed via Google Play Store which has now been removed from the Play Store after we reported this to the concerned team.

The app targets Indian Android Phone consumers and is portrayed as an app that would assist in obtaining a loan. High installation count (0.1-0.5 Milion) indicates many users might have fallen prey to this fraud app. A similar fraud app has been noticed in the Google Play Store, the concerned team has already been notified of the app.

At present, the fraudulent app isn’t detected by any AV vendor as is seen on the popular threat intelligence sharing portal VirusTotal.

The app promised to provide easy loans to customers and appeared to look genuine by providing information about Loan EMI and interest in its description.

Post installation, it showed a list of permissions required. Interestingly, the app prompted the user to grant permissions by describing why those permissions are required. The app instructed the user to complete 3 steps to get a loan.

In the first step, called the “Submit info”, personal, work and bank related information are collected from the user. There is no validation for entered user account details which are being asked  as shown below:

In the second step, the user’s credit limit is computed as is assumed based on the information provided in step one. The user is then asked to make a payment of 399INR as a security deposit before the loan request could be processed further. Various payment options like Net banking, UPI, and Debit/Credit Card are provided to the user.  An active timer is also started to rush in the user into making payment.

SonicWall Capture Labs provide protection against this threat with the following signatures:

• FraudApp.B (Trojan)
• FraudApp.C (Trojan)

Indicators of Compromise (IOC’s):

• 2dd16df38421e8ba98e52bbc4fab81145a672775b72bf676f19b6c55a209cb1c
• 0317c1270d57ffc57dda791f3786de34205055d6e42a1e2f30216971b790867

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.