Tag Archives: android

Fraud Android App in the name of Jio Prime

I am following an Instagram page with about 130K followers. These pages post ads sometimes when they get paid for them. One such ad said – “Get 10GB Data Everyday for Free for 3 Months – for Jio Prime Users”. Since I am a Jio user, I got curious to check this and was sure – this was some kind of fraud going on, and the ad was not by original Jio — they were using the name of Jio to milk their followers, since many of the users use Jio for their data connection.

I visited the URL (link) and downloaded the mentioned APK (JioPrime.apk), which is hosted on Google Drive. Turned-on the emulator and loaded this APK – yes, the icon was same as Jio’s logo (spot the app named Jio Prime in screenshot below). On opening the APK, it gives look-n-feel similar to MyJio app (the self-service app for Jio customers):

It asked me to provide my phone number. I started capturing the request/responses with Burp to look for anything malicious – I entered my mobile number and it gave me the loading screen, saying something is happening in the backend. Any user will be convinced by the different pop-ups saying: ‘Connecting to Sever…’, ‘Connected’, ‘Activating Offer’. Next it took me to “Share with Whatsapp” screen, where it asked me to share it with 10 users on Whatsapp.

But there were no network connections till that point, and then it started sending some data to Google Adwords URL.
Next, I entered mobile number as 0000000000, and it still accepted my mobile number as valid Jio number and showed me the loading pop-ups, next with the Share on Whatsapp screen. Since I don’t have Whatsapp installed on the emulator, I was not able to test further, but I was sure that they were sending user clicks to Google Adwords.

The MobSF analysis results are here:

1. Some of the dangerous Android permissions asked by the app:
a. READ_EXTERNAL_STORAGE
b. WRITE_EXTERNAL_STORAGE
c. READ_SMS
d. ACCESS_FINE_LOCATION
e. SYSTEM_ALERT_WINDOW

2. Below is the list of malicious URLs and Domains contained in the APK. When you “Share via Whatsapp”, your contact will receive the link like “Activate this service before*\n*12:00AM Tonight to Enjoy*\n*25GB/Per Day!!*\n\n*Team Jio.*\n\n*Link* : http://tiny.cc/Jio-Free-1Year;

 

Later I uploaded the APK to VirusTotal for their analysis. One thing that attracted my attention was a Service named “er.upgrad.jio.jioupgrader.Coinhive“. While Coinhive (link to KrebsonSecurity article) is a cryptocurrency mining service, this app could be a miner in the name of Jio. Eat the process of user device, earn money for the APK owner.

Four (4) Engines at VirusTotal also marked this app as malicious, screenshot here:

virustotal

Takeaways:

I could just see their JioPrime ad on 1 page on Instagram, but not sure where else they have posted their ads and how many victims have installed their APK. Also, since the app is having dangerous permissions (like Read & write external storage, read SMS), I am sure they would be accessing and sending this data somewhere.

It is highly recommended not to install APKs from unknown sources. Even some of the Google Playstore apps have malwares in them, but that’s totally a different topic.

To-do:

– Check if it is mining any cryptocurrency
– Reverse Engineer the APK for finding out the creator of the APK and the relevant Adwords account
– Check if it is really not making any network connections other than the Adwords part
– What data from user device is being accessed, whether it is being sent anywhere

In case you have free time, please feel free to do further analysis of the APK and provide more malicious vectors.

 

~~

Bypass Root detection in Android [by modifying the APK]

Developers implement root-detection mechanism in Android to prevent users from using their app on a rooted phone. The app (apk) will implement different checks to determine whether the phone is rooted or not. Later, after this check, if the phone is rooted then the APK will display some message like “This device is rooted, exiting the application”, or “This application will not work on rooted device, exiting!”, and it will exit the application.

  • How to bypass this – (a) the APK checks at the device level and determines that the device is rooted, (b) APK will display the message and close the application.
  • Between the step (a) and step (b), let the APK know that the device is rooted – but before it gives the command to exit the application – we can change the code to not exit the application even if the device is rooted.

Below are the technical steps to perform this. This method works most of the times, and doesn’t need Xposed modules or other tools.

Lets refer the APK/Application as test.apk for this article. Decompile the APK by using apktool, with the following command:

apktool d test.apk

The code of this apk will be available in a folder named ‘test’. There will be smali files in the folder, which will have all the application code.

Search for text like ‘rooted’, ‘exiting’ or ‘root’ – according to the message which is being displayed when you start this application on a rooted phone. Note the name of the file which is containing this text, open it in a text editor.

Functionality will be like this:

  • APK will check the device is rooted:
    • if yes (e.g. equals to 0),
    • exit
    • if no (e.g. not equals to 0),
    • continue

If you make the condition as ‘not equals to 0’, it will not exit and allow the application to run. After making this change, re-compile/build the APK by using apktool with following command:

apktool b test test-new.apk

A new apk will be created with the name test-new.apk, and then create a key and sign the apk with following commands:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore test-new.apk alias_name

Now the APK is built, signed and ready for installation. Install this APK by using ADB and now it will allow the application to run on a rooted Android device.

 

~~~