Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine.

Splash screen for Android/Oji.G!worm (April 29, 2021)

The behavior of this family is well detailed here. This article only focuses on the new sample of late April 2021. This new sample begins a new campaign: it claims to register users for COVID-19 vaccination. If you are in doubt: this is totally fake, the app does not contact any vaccination center, its goal is merely to display ads and spread to the victims contacts via SMS.

As prior Oji campaigns, this one also targets end-users in India:

  1. The SMS message says “Register for Covid-19 Vaccine*\n*from age 18+ today.*\n\n*No Fees will be taken.*\n*It\’s absolutely Free in India.*[..]”
  2. The malware only spreads via SMS to contacts in India (+91 indicator)
The malware reads contacts on the smartphone, and only keeps those with a valid phone number. If the phone number does not include the country indicator, the implementation assumes it is 91, which is India’s country code.

3. More precisely, it only spreads to contacts who are using the indian JIO operator. The implementation knows JIO is used with 2 different techniques: (a) the phone number corresponds to ones JIO serves, or (b) it queries a public web API of JIO.

// Connect to public Web API to test if the phone number is affected to JIO
HttpsURLConnection conn = (HttpsURLConnection)new URL("" + number).openConnection();
conn.setRequestProperty("User-Agent", this.user_agent);
// Test response
String result = "";
int statusCode = conn.getResponseCode();
InputStream is = statusCode < 200 || statusCode >= 400 ? conn.getErrorStream() : conn.getInputStream();
BufferedReader in = new BufferedReader(new InputStreamReader(is));
// Read all answer lines and concatenate into result
while(true) {
String line = in.readLine();
if(line == null) { break; }
result = result + line;

// Check if result contains message NOT_SUBSCRIBED_USER
String fresult = result;
return fresult.contains("NOT_SUBSCRIBED_USER") ? false : fresult.contains(number);

Conclusion: if you have no contacts from India, the malware will not send any SMS — only display ads.

Contrary to SMS, the malware does not automatically spread via WhatsApp, it relies on the end-user to do so.

When the end-user clicks on the button “Share on WhatsApp”, the malware copies the message to the clipboard.

The shared message is “*Register for Covid-19 Vaccine*\n*from age 18+ today.*\n\n*No Fees will be taken.*\n*It\’s absolutely Free in India.*\n\n*Download Covid-19 android app*\n*and Register for COVID-19*\n*vaccine today.*\n\n*Link:* http://tiny.[REDACTED]CINE

The malware does not go as far as checking that the message is actually shared on WhatsApp. Actually, it does not even check WhatsApp is installed, it merely counts how many times the share button is clicked.

The URL in the SMS or WhatsApp message forwards to a website where new victims can download the Android application.

Malicious web page — when you click on Download now, you get Android/Oji worm

This application is downloaded from a malicious account on GitHub (GitHub has been notified of this abuse).

All samples on this account are Android/Oji worm, for various campaigns. The COVID-19 vaccine campaign is among the most recent ones.

New malicious GitHub account: hxxps://

— Cryptax

PS. Kudosto @malwrhunterteam, @LukasStefanko and @banxen.

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.