[ad_1]
Authored by ChanUng Pak
McAfee’s Cellular Analysis crew not too long ago discovered a brand new Android malware, Elibomi, concentrating on taxpayers in India. The malware steals delicate monetary and personal data by way of phishing by pretending to be a tax-filing utility. We’ve recognized two essential campaigns that used totally different faux app themes to lure in taxpayers. The primary marketing campaign from November 2020 pretended to be a faux IT certificates utility whereas the second marketing campaign, first seen in Could 2021, used the faux tax-filing theme. With this discovery, the McAfee Cellular Analysis crew has been in a position to replace McAfee Cellular Safety in order that it detects this menace as Android/Elibomi and alerts cellular customers if this malware is current of their gadgets.
Throughout our investigation, we discovered that within the newest marketing campaign the malware is delivered utilizing an SMS textual content phishing assault. The SMS message pretends to be from the Earnings Tax Division in India and makes use of the identify of the focused consumer to make the SMS phishing assault extra credible and improve the possibilities of infecting the machine. The faux app used on this marketing campaign is designed to seize and steal the sufferer’s delicate private and monetary data by tricking the consumer into believing that it’s a reliable tax-filing app.
We additionally discovered that Elibomi exposes the stolen delicate data to anybody on the Web. The stolen information contains e-mail addresses, cellphone numbers, SMS/MMS messages amongst different monetary and private identifiable data. McAfee has reported the servers exposing the info and on the time of publication of this weblog the uncovered data is not out there.
Pretending to be an app from the Earnings Tax Division in India
The newest and most up-to-date Elibomi marketing campaign makes use of a faux tax-filing app theme and pretends to be from the Earnings Tax Division from the Indian authorities. They even use the unique brand to trick the customers into putting in the app. The bundle names (distinctive app identifiers) of those faux apps include a random phrase + one other random string + imobile (e.g. “direct.uujgiq.imobile” and “olayan.aznohomqlq.imobile”). As talked about earlier than this marketing campaign has been energetic since not less than Could 2021.
Determine 1. Faux iMobile app pretending to be from the Earnings Tax Division and asking SMS permissions
After all of the required permissions are granted, Elibomi makes an attempt to gather private data like e-mail tackle, cellphone quantity and SMS/MMS messages saved within the contaminated machine:
Determine 2. Elibomi stealing SMS messages
Prevention and protection
Listed here are our suggestions to keep away from being affected by this and different Android threats that use social engineering to persuade customers to put in malware disguised as reliable apps:
Have a dependable and up to date safety utility like McAfee Cellular Safety put in in your cellular gadgets to guard you in opposition to this and different malicious functions.
Don’t click on on suspicious hyperlinks obtained from textual content messages or social media, significantly from unknown sources. At all times double verify by different means if a contact that sends a hyperlink with out context was actually despatched by that particular person as a result of it may result in the obtain of a malicious utility.
Conclusion
Android/Elibomi is simply one other instance of the effectiveness of personalised phishing assaults to trick customers into putting in a malicious utility even when Android itself prevents that from taking place. By pretending to be an “Earnings Tax” app from the Indian authorities, Android/Elibomi has been in a position to collect very delicate and personal private and monetary data from affected customers which could possibly be used to carry out establish and/or monetary fraud. Much more worryingly, the data was not solely in cybercriminals’ palms, nevertheless it was additionally unexpectedly uncovered on the Web which may have a higher affect on the victims. So long as social engineering assaults stay efficient, we anticipate that cybercriminals will proceed to evolve their campaigns to trick much more customers with totally different faux apps together with ones associated to monetary and tax providers.
McAfee Cellular Safety detects this menace as Android/Elibomi and alerts cellular customers whether it is current. For extra details about McAfee Cellular Safety, go to https://www.mcafeemobilesecurity.com
For these inquisitive about a deeper dive into our analysis…
Distribution technique and stolen information uncovered on the Web
Throughout our investigation, we discovered the primary distribution technique of the newest marketing campaign in one of many stolen SMS messages uncovered in one of many C2 servers. The SMS physique subject within the screenshot under reveals the Smishing assault used to ship the malware. Curiously, the message contains the sufferer’s identify with a view to make the message extra private and due to this fact extra credible. It additionally urges the consumer to click on on a suspicious hyperlink with the excuse of checking an pressing replace relating to the sufferer’s Earnings Tax return:
Determine 3. Uncovered data contains the SMS phishing assault used to initially ship the malware
Elibomi not solely exposes stolen SMS messages, nevertheless it additionally captures and exposes the checklist of all accounts logged within the contaminated gadgets:
Determine 4. Instance of account data uncovered in one of many C2 servers
If the focused consumer clicks on the hyperlink within the textual content message, a phishing web page will likely be proven pretending to be from the Earnings Tax Division from the Indian authorities which addresses the consumer by its identify to make the phishing assault extra credible:
Determine 5. Faux e-Submitting phishing web page pretending to be from the Earnings Tax Division in India
Every focused consumer has a special utility. For instance within the screenshot under now we have the app “cisco.uemoveqlg.imobile” on the left and “komatsu.mjeqls.imobile” on the correct:
Determine 6. Completely different malicious functions for various customers
Throughout our investigation, we discovered that there are a number of variants of Elibomi for a similar iMobile faux Earnings tax app. For instance, some iMobile apps solely have the login web page whereas in others have the choice to “register” and request a faux tax refund:
Determine 7. Faux iMobile screens designed to seize private and monetary data
The delicate monetary data offered by the tricked consumer can be uncovered on the Web:
Determine 8. Instance of uncovered monetary data stolen by Elibomi utilizing a faux tax filling app
Associated Faux IT Certificates functions
The primary Elibomi marketing campaign pretended to be a faux “IT Certificates” app was discovered to be distributed in November 2020. Within the following determine we are able to see the similarities within the code between the 2 malware campaigns:
Determine 9. Code similarity between Elibomi campaigns
The malicious utility impersonated an IT certificates administration module that’s purposedly used to validate the machine in a non-existent verification server. Identical to the latest model of Elibomi, this faux ITCertificate app requests SMS permissions nevertheless it additionally requests machine administrator privileges, in all probability to make extra tough its elimination. The malicious utility additionally simulates a “Safety Scan” however in actuality what it’s doing within the background is stealing private data like e-mail, cellphone quantity and SMS/MMS messages saved within the contaminated machine:
Determine 10. Faux ITCertificate app pretending to do a safety scan whereas it steals private information within the background
Identical to with the most up-to-date “iMobile” marketing campaign, this faux “ITCertificate” additionally exposes the stolen information in one of many C2 servers. Right here’s an instance of a stolen SMS message that makes use of the identical log fields and construction because the “iMobile” marketing campaign:
Determine 11. SMS message is stolen by the faux “ITCertificate” utilizing the identical log construction as “iMobile”
Fascinating string obfuscation approach
The cybercriminals behind these two items of malware designed a easy however fascinating string obfuscation approach. All strings are decoded by calling totally different courses and every class has a totally totally different desk worth
Determine 12. Calling the de-obfuscation technique with totally different parameters
Determine 13. String de-obfuscation technique
Determine 14. String de-obfuscation desk
The algorithm is a straightforward substitution cipher. For instance, 35 is changed with ‘h’ and 80 is changed with ‘t’ to obfuscate the string.
Appendix – Technical Information and IOCs
Hash
Bundle identify
1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56
direct.uujgiq.imobile
7f7b0555563e08e0763fe52f1790c86033dab8004aa540903782957d0116b87f
ferrero.uabxzraglk.imobile
120a51611a02d1d8bd404bb426e07959ef79e808f1a55ce5bff33f04de1784ac
erni.zbvbqlk.imobile
ecbd905c44b1519590df5465ea8acee9d3c155334b497fd86f6599b1c16345ef
olayan.bxynrqlq.imobile
da900a00150fcd608a09dab8a8ccdcf33e9efc089269f9e0e6b3daadb9126231
basis.aznohomqlq.imobile
795425dfc701463f1b55da0fa4e7c9bb714f99fecf7b7cdb6f91303e50d1efc0
fresenius.bowqpd.motionless
b41c9f27c49386e61d87e7fc429b930f5e01038d17ff3840d7a3598292c935d7
cisco.uemoveqlg.motionless
8de8c8c95fecd0b1d7b1f352cbaf839cba1c3b847997c804dfa2d5e3c0c87dfe
komatsu.mjeqls.imobile
ecbd905c44b1519590df5465ea8acee9d3c155334b497fd86f6599b1c16345ef
olayan.bxynrqlq.imobile
326d81ba7a715a57ba7aa2398824b420fff84cda85c0dd143462300af4e0a37a
alstom.zjeubopqf.certificates
154cfd0dbb7eb2a4f4e5193849d314fa70dcc3caebfb9ab11b4ee26e98cb08f7
alstom.zjeubopqf.certificates
c59ecd344729dac99d9402609e248c80e10d39c4d4d712edef0df9ee460fbd7b
alstom.zjeubopqf.certificates
16284cad1b5a36e2d2ea9f67f5c772af01b64d785f181fd31d2e2bec2d98ce98
alstom.zjeubopqf.certificates
98fc0d5f914ae47b61bc7b54986295d86b502a9264d7f74739ca452fac65a179
alstom.zjeubopqf.certificates
32724a3d2a3543cc982c7632f40f9e831b16d3f88025348d9eda0d2dfbb75dfe
pc.yvyjmbtlk.transferInstant
x3Cimg peak=”1″ width=”1″ fashion=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);
[ad_2]