Android/Oji worm fake COVID-19 vaccine registration campaign

Splash screen for Android/Oji.G!worm (April 29, 2021)

Targeting end-users in India

  1. The SMS message says “Register for Covid-19 Vaccine*\n*from age 18+ today.*\n\n*No Fees will be taken.*\n*It\’s absolutely Free in India.*[..]”
  2. The malware only spreads via SMS to contacts in India (+91 indicator)
The malware reads contacts on the smartphone, and only keeps those with a valid phone number. If the phone number does not include the country indicator, the implementation assumes it is 91, which is India’s country code.
// Connect to public Web API to test if the phone number is affected to JIO
HttpsURLConnection conn = (HttpsURLConnection)new URL("https://www.jio.com/api/jio-recharge-service/recharge/mobility/number/" + number).openConnection();
conn.setRequestProperty("User-Agent", this.user_agent);
[..]
conn.setRequestMethod("GET");
conn.connect();
// Test response
String result = "";
int statusCode = conn.getResponseCode();
InputStream is = statusCode < 200 || statusCode >= 400 ? conn.getErrorStream() : conn.getInputStream();
BufferedReader in = new BufferedReader(new InputStreamReader(is));
// Read all answer lines and concatenate into result
while(true) {
String line = in.readLine();
if(line == null) { break; }
result = result + line;
}

// Check if result contains message NOT_SUBSCRIBED_USER
String fresult = result;
return fresult.contains("NOT_SUBSCRIBED_USER") ? false : fresult.contains(number);

Spreading via WhatsApp

The shared message is “*Register for Covid-19 Vaccine*\n*from age 18+ today.*\n\n*No Fees will be taken.*\n*It\’s absolutely Free in India.*\n\n*Download Covid-19 android app*\n*and Register for COVID-19*\n*vaccine today.*\n\n*Link:* http://tiny.[REDACTED]CINE

The malware is hosted on a malicious GitHub account

Malicious web page — when you click on Download now, you get Android/Oji worm
All samples on this account are Android/Oji worm, for various campaigns. The COVID-19 vaccine campaign is among the most recent ones.

IOC

5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4
c03c89b2b95f44018eb3d4d7812e4a9efa44c563f331a36a24cad2f70af27f5b
d85330ff17c8d2f8d461c384b9eb3411c2f1f4d33fecd3acf127a5d9336c4e93
98c7390a248f3f06c12272439eaf8fa185634aceaae28612b5b231ca39faf8ae
2f21d6b5330aa5e74e632068908c0b11fa4d76fc7b67bce88bfef71171aa2e6e
07f40ac2ddd54b70cbd9760718feaa13f6b758414ec70ea4c88167ced33eba4d
a25363b68faa8188b99622d8909921a4026ea7241df6377d0a6374d2b2b4e08c

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Math in Unity : Dot Product (Part III)

How and why I decided to go into the world of Software Product Management?

SHEBANG #!/bin/sh

Django Forms -Part 3 Validations

READ/DOWNLOAD$! Just Hibernate FULL BOOK PDF & FUL

CS371p Spring 2022: Vincent Huynh

Just do 3, 12 or 371 things and all your problems are solved!

SQL Interview Questions You Should Know to Become a Data Scientist - Part 1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

“Tricking” our developers into liking application security

Toorcon CTF: Damn Files

PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021–4034)

Android/BianLian payload