Android/Oji worm fake COVID-19 vaccine registration campaign

Splash screen for Android/Oji.G!worm (April 29, 2021)
The malware reads contacts on the smartphone, and only keeps those with a valid phone number. If the phone number does not include the country indicator, the implementation assumes it is 91, which is India’s country code.
// Connect to public Web API to test if the phone number is affected to JIO
HttpsURLConnection conn = (HttpsURLConnection)new URL("" + number).openConnection();
conn.setRequestProperty("User-Agent", this.user_agent);
// Test response
String result = "";
int statusCode = conn.getResponseCode();
InputStream is = statusCode < 200 || statusCode >= 400 ? conn.getErrorStream() : conn.getInputStream();
BufferedReader in = new BufferedReader(new InputStreamReader(is));
// Read all answer lines and concatenate into result
while(true) {
String line = in.readLine();
if(line == null) { break; }
result = result + line;

// Check if result contains message NOT_SUBSCRIBED_USER
String fresult = result;
return fresult.contains("NOT_SUBSCRIBED_USER") ? false : fresult.contains(number);
The shared message is “*Register for Covid-19 Vaccine*\n*from age 18+ today.*\n\n*No Fees will be taken.*\n*It\’s absolutely Free in India.*\n\n*Download Covid-19 android app*\n*and Register for COVID-19*\n*vaccine today.*\n\n*Link:* http://tiny.[REDACTED]CINE
Malicious web page — when you click on Download now, you get Android/Oji worm
All samples on this account are Android/Oji worm, for various campaigns. The COVID-19 vaccine campaign is among the most recent ones.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store