Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine.

Splash screen for Android/Oji.G!worm (April 29, 2021)

The behavior of this family is well detailed here. This article only focuses on the new sample of late April 2021. This new sample begins a new campaign: it claims to register users for COVID-19 vaccination. If you are in doubt: this is totally fake, the app does not contact any vaccination center, its goal is merely to display ads and spread to the victims contacts via SMS.

As prior Oji campaigns, this one also targets end-users in India:

  1. The SMS message says “Register for Covid-19 Vaccine*\n*from age 18+ today.*\n\n*No Fees will be taken.*\n*It\’s absolutely Free in India.*[..]”
  2. The malware only spreads via SMS to contacts in India (+91 indicator)
The malware reads contacts on the smartphone, and only keeps those with a valid phone number. If the phone number does not include the country indicator, the implementation assumes it is 91, which is India’s country code.

3. More precisely, it only spreads to contacts who are using the indian JIO operator. The implementation knows JIO is used with 2 different techniques: (a) the phone number corresponds to ones JIO serves, or (b) it queries a public web API of JIO.

// Connect to public Web API to test if the phone number is affected to JIO
HttpsURLConnection conn = (HttpsURLConnection)new URL("https://www.jio.com/api/jio-recharge-service/recharge/mobility/number/" + number).openConnection();
conn.setRequestProperty("User-Agent", this.user_agent);
[..]
conn.setRequestMethod("GET");
conn.connect();
// Test response
String result = "";
int statusCode = conn.getResponseCode();
InputStream is = statusCode < 200 || statusCode >= 400 ? conn.getErrorStream() : conn.getInputStream();
BufferedReader in = new BufferedReader(new InputStreamReader(is));
// Read all answer lines and concatenate into result
while(true) {
String line = in.readLine();
if(line == null) { break; }
result = result + line;
}

// Check if result contains message NOT_SUBSCRIBED_USER
String fresult = result;
return fresult.contains("NOT_SUBSCRIBED_USER") ? false : fresult.contains(number);

Conclusion: if you have no contacts from India, the malware will not send any SMS — only display ads.

Contrary to SMS, the malware does not automatically spread via WhatsApp, it relies on the end-user to do so.

When the end-user clicks on the button “Share on WhatsApp”, the malware copies the message to the clipboard.

The shared message is “*Register for Covid-19 Vaccine*\n*from age 18+ today.*\n\n*No Fees will be taken.*\n*It\’s absolutely Free in India.*\n\n*Download Covid-19 android app*\n*and Register for COVID-19*\n*vaccine today.*\n\n*Link:* http://tiny.[REDACTED]CINE

The malware does not go as far as checking that the message is actually shared on WhatsApp. Actually, it does not even check WhatsApp is installed, it merely counts how many times the share button is clicked.

The URL in the SMS or WhatsApp message forwards to a website where new victims can download the Android application.

Malicious web page — when you click on Download now, you get Android/Oji worm

This application is downloaded from a malicious account on GitHub (GitHub has been notified of this abuse).

All samples on this account are Android/Oji worm, for various campaigns. The COVID-19 vaccine campaign is among the most recent ones.
5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4
c03c89b2b95f44018eb3d4d7812e4a9efa44c563f331a36a24cad2f70af27f5b
d85330ff17c8d2f8d461c384b9eb3411c2f1f4d33fecd3acf127a5d9336c4e93
98c7390a248f3f06c12272439eaf8fa185634aceaae28612b5b231ca39faf8ae
2f21d6b5330aa5e74e632068908c0b11fa4d76fc7b67bce88bfef71171aa2e6e
07f40ac2ddd54b70cbd9760718feaa13f6b758414ec70ea4c88167ced33eba4d
a25363b68faa8188b99622d8909921a4026ea7241df6377d0a6374d2b2b4e08c

New malicious GitHub account: hxxps://github.com/bharatnews/3ewr

— Cryptax

PS. Kudosto @malwrhunterteam, @LukasStefanko and @banxen.

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.