CnC communication of a fake Aarogya Setu COVID-19 app

Screenshot of a smartphone showing the malicious app in the top left corner, using the Aarogya Setu icon
Fig. 1: The malware is installed and its icon fakes the legitimate Aarogya Setu app (see top left corner)

Communication with the CnC

Fig. 2: Reading CnC host and port from shared preferences
Fig. 3: Default CnC host and port number
Fig. 4: Code of the malware connecting to the remote CnC using a socket

Replacing the CnC with a dummy server

$ python3 
Logger configured
Starting up server on port 29491
Listening… (max clients=10)
Connecting (‘’, 59674) — client no. (1)…
IN: b’33\x00\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x00+(\xcd-0402\xb1\xc8+\xcd\xc9\x01\x00}4.\xed\r\x00\x00\x00'

Packet structure

Fig. 5: Malware’s CnC packet format
  1. The message is gzipped
  2. The packet is prefixed by the gzip’s length and a 0x00.

Uncompressing messages

[SpyServer] 08/14/2020 10:09:20 IN: b’1439\x00\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x00\xadU\xc9\xd2\xab\xb8\x0e~\x95^\xf5\x86\xba\xc5\x14\x02,za\xc0 [..]
[SpyServer] 08/14/2020 10:09:20 Packet indicates length=1439
[SpyServer] 08/14/2020 10:09:20 get_msg_header() returns marker=4 msg_len=1439
[SpyServer] 08/14/2020 10:09:20 decompress(): marker=4 msg_len=1439
[SpyServer] 08/14/2020 10:09:34 Packet indicates length=33
[SpyServer] 08/14/2020 10:09:34 get_msg_header() returns marker=2 msg_len=33
[SpyServer] 08/14/2020 10:09:34 decompress(): marker=2 msg_len=33
[SpyServer] 08/14/2020 10:09:34 msg_len=33 msg=b’pump10248null’
[SpyServer] 08/14/2020 10:09:56 IN: b’33\x00\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x00+(\xcd-0402\xb1\xc8+\xcd\xc9\x01\x00}4.\xed\r\x00\x00\x00'
[SpyServer] 08/14/2020 10:09:56 Packet indicates length=33
[SpyServer] 08/14/2020 10:09:56 get_msg_header() returns marker=2 msg_len=33
[SpyServer] 08/14/2020 10:09:56 decompress(): marker=2 msg_len=33
[SpyServer] 08/14/2020 10:09:56 msg_len=33 msg=b’pump10248null’
Fig. 6: Calls method below with argument “pump”
Fig. 7: Decoding the Base64 buffer. It outputs binary data. Notice the JFIF magic, typical to JPEG images
Fig. 8: This is the decoded image sent by the malware to the server. I admit it is not very interesting in that particular case, but it is an accurate screenshot my emulator’s wallpaper.
Fig. 9: Method that generates the packet containing the wallpaper screenshot
  1. “10332”
  2. “10249”. This is a delimiter we see in numerous other messages.
  3. an integer representing the screen mode. In our case, we had value “5” which means the screen was on. See Figure 10.
  4. “10249”
  5. SMS origin: in case a SMS was received, this will be a message like “SMS[ originating phone number]”. In our case, there was no SMS, so this is “null”.
  6. “&”
  7. phonenumber: in case a call was placed, this will contain the outgoing phone number. Null in our case.
  8. “10249”
  9. Wallpaper: a screenshot of the current wallpaper, resized to 48x48 pixels (0x30). See Figure 11.
  10. “10249”
  11. Network type. In our case MD4G which a string the malware uses for NETWORK_TYPE_LTE.
  12. “10249”
  13. Battery level and whether the phone is plugged or not. In our case, the emulator was considered to be 100% charged, and plugged 😉. See Figure 12.
  14. “10249–10249”
  15. “10248null”. This footer is added to all messages that get gzipped (see Figure 5)
Fig. 10: Retrieving the current screen mode: on (5), locked (3), error (6)…
Fig. 11: Grabbing the current wallpaper and resizing it
Fig. 12: Get battery level and if plugged or not

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Surveillance Capitalism, Your Radical Indifference and What We Can Do Now

Major Difference between Web2 and Web3

Keeping cyber criminals at bay

4 Steps to Prepare for The California Consumer Privacy Act (CCPA)

The Opposing Forces of Privacy & Personalization


Intelectual property rights & virus protection for your shared connectome. Review

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

Mobile Forensics — Analyzing Snapseed on Android

OWASP UnCrackable App for Android Level 1 — Walkthrough

Analysis of Android malware faking Korean bank application

KYVE // incentivised testnet errors FAQ