Category: Adversary Intelligence	Industry Government	Country: India	Source: B: Usually reliable 2: Probably true

Executive Summary

THREAT	IMPACT
Two application that impersonate Directorate of Kerala Lotteries viz: Kerala Lottery Online India Kerala Lottery	Risk of threat actors exfiltrating sensitive information and orchestrating phishing attacks.

Analysis and Attribution

• CloudSEK’s contextual AI digital risk platform XVigil has discovered two applications that impersonate Directorate of Kerala State’s lotteries:
  • Kerala Lottery Online
  • India Kerala Lottery
• These applications lure people into buying lottery tickets online. Threat actors are using referral links to spread their campaign. To prove legitimacy, threat actors impersonate government entities and create fake advertisements from accounts having 200K+ followers on major social media platforms.
• Further, threat actors have bought the following domains which act as payment gateway, and allow threat actors to accept payments from major UPI Apps.
  • Upibank.com
  • Upibank.in
  • indiacashpayment.com
  • Ybbpay.net
  • Sliderummy.in
• The threat actors are using 6 UPI IDs to carry out the transactions.
• A strong connection was identified between the applications developed in this campaign, and previous campaigns targeting (now banned) Loan Apps. In both campaigns, ‘h5.domainname.tld’ is used to host important content of the website, which indicates that the same group of threat actors or the same SDK is being used to create and launch such campaigns.

Summary /Information on Campaign

• Two applications hosted on Google Play Store were found impersonating the Online Kerala lottery which operates in Offline mode. They allow you to purchase tickets for online gambling.
  • Kerala Lottery Online
  • India Kerala Lottery

[caption id="attachment_21603" align="alignnone" width="388"] Applications listed on the Play Store, both applications have over 1 Million downloads[/caption] [caption id="attachment_21604" align="alignnone" width="383"] Applications listed on the Play Store, both applications have over 1 Million downloads[/caption]  

• Based on reviews posted on Google Play Store, after successful installation of Lottery application from the play store, it prompts to install a secondary self-hosted APK file.
• It was found that both applications "Kerala Lottery Online" and “India Kerala Lottery” display the same privacy policy but operate under different names.
• Upon analysis of these two applications, the following email addresses were listed as developers contact:
  • [email protected]
  • [email protected]
• A review on Google Play Store suggests that the application owners also postpone the draw dates, which is mentioned in the second comment.
• The applications ask for several permissions and notable among them was the request to install packages (Required to install other applications on your device).
• Detailed report on the applications
  • https://bevigil.com/report/com.india.kerala.lottery
  • https://bevigil.com/report/com.lotteryonline.kerala

Delivery Mechanism

• Threat Actors have used a referral program to spread their apps. There were multiple Telegram groups, Youtube videos, Facebook and Twitter posts promoting the scam applications.
• On the landing page of the referral link, threat actors can be seen mentioning 5% of the winning amount to be shared with all the users of the referral link and a free entry/ticket to the lottery.
• Logos of Directorate of Kerala State Lotteries, National Informatics Centre, Kerala State logo and India were used.
• Youtube videos explaining the entire installation and usage procedure for the application were also found. Referral link was also shared by the video uploader in the description of the video.
• The video explains a different international lottery game, but has a referral link to this campaign.
• Page about the campaign made on Facebook has 8.2K likes and 33 followers.
• Videos explaining about the application were also posted on Facebook.
• Fake profiles on Facebook, using photos of Hollywood actors are being created and used to advertise the application.
• A Facebook page which mentions a Chinese entity was discovered, but no other mentions of the company were found on the internet.
• The Twitter account promoting the application has 200K+ followers, and has been promoting this application for over 6 months.
• Telegram channel, which has a long history of discussing and providing tips on offline lottery numbers is also promoting this application.

Technical Analysis of APK and Infrastructure

Domain names owned by the group

• keralaticketone.com
• lotteryadda.com
• keralaticketonline.com
• lottomegawin.com
• kerala-ticket.com
• Analysis of APK displayed Chinese characters but no significant attribution from China. Thus leading us to believe that a Chinese SDK must have been repurposed to develop the Android Application.

Infrastructure and Attribution on which the Application and Associated domains were hosted IP addresses - Hosted on AWS, with an Elastic Load Balancer

• 13.234.211.222
• 13.232.224.42
• 13.226.22.83

Sub-domains associated with the group infrastructure

m.lotteryadda.com	in.lotteryadda.com	www.lotteryadda.com
static.lotteryadda.com	bapi.testing.lotteryadda.com	api.staging.lotteryadda.com
api.game.lotteryadda.com	bapi.staging.lotteryadda.com	game.static.lotteryadda.com
h5.lotteryadda.com	dl.lotteryadda.com	lotteryadda.com
dl.game.lotteryadda.com	dl2.lotteryadda.com	job.staging.lotteryadda.com
Admin.staging.lotteryadda.com	Static.staging.lotteryadda.com

• It has been observed that threat actors use the subdomain pattern with string h5[.]domain to host their content.
• H5 sub-domains in this campaign -
  • H5.lotteryadda.com
  • H5.keralaticketone.com
  • H5.kerala-ticket.com
  • h5.keralaticketonline.com
• Other domains owned by the group: These act as the payment gateway URL, wherein the threat actors ask the users to pay via UPI.
  • https[:]//paymentupi.upibank.in
  • https[:]//dashboard.upibank.in
  • https[:]//pay.indiacashpayment.in

UPI Address

UPI ID	Company Name
gamecampipp	Gamecamp Technologies Private Limited
skenterprisesonline	SK Enterprises
aeroglide	Aero Glide India Private Limited
nineciytechnologiesipp	Nine City Technologies Private Limited
byronipp	Byrontec Solutions Private Limited
airpay.techslidet266763	Tech Slide Technology Private Limited

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_21605" align="alignnone" width="378"] Home page of the application[/caption]   [caption id="attachment_21606" align="alignnone" width="1096"] Review on Google Play Store[/caption]   [caption id="attachment_21607" align="alignnone" width="1391"] India Kerala Lottery Privacy Policy[/caption] India Kerala Lottery Privacy Policy [caption id="attachment_21608" align="alignnone" width="1454"] Kerala Lottery Online Privacy Policy[/caption] Kerala Lottery Online Privacy Policy [caption id="attachment_21609" align="alignnone" width="1104"] Review on Google Play Store[/caption]   [caption id="attachment_21610" align="alignnone" width="878"] Permissions required by the application as shown on BeVigil[/caption]   [caption id="attachment_21611" align="alignnone" width="391"] Landing page of the referral link showing logos of Directorate of Kerala State Lotteries, kerala.gov.in, NIC[/caption]   [caption id="attachment_21613" align="alignnone" width="1341"] A youtube video with the referral link in the description[/caption]   [caption id="attachment_21614" align="alignnone" width="1132"] https://www.youtube.com/watch?v=ken8n8nUT60[/caption] https://www.youtube.com/watch?v=ken8n8nUT60 [caption id="attachment_21615" align="alignnone" width="1161"] https://www.facebook.com/people/Kerala-Lottery-Online/100083366756650/[/caption] https://www.facebook.com/people/Kerala-Lottery-Online/100083366756650/ [caption id="attachment_21616" align="alignnone" width="1107"] Fake profile promoting the application[/caption] Fake profile promoting the application [caption id="attachment_21617" align="alignnone" width="1511"] A page with the same name as the application having Chinese companies name and a now dead link to playstore[/caption]   [caption id="attachment_21618" align="alignnone" width="756"] Twitter post advertising the application[/caption]   [caption id="attachment_21619" align="alignnone" width="376"] This account has 212.4K Followers and has promoted the App multiple times[/caption] [caption id="attachment_21620" align="alignnone" width="1158"] Telegram group advertising the application[/caption]   [caption id="attachment_21621" align="alignnone" width="400"] Threat actors also send SMS to invite users to buy tickets on the platform.[/caption]   [caption id="attachment_21622" align="alignnone" width="721"] Chinese characters in the source code of the website[/caption]   [caption id="attachment_21623" align="alignnone" width="1024"] The error generated on the website in Chinese characters[/caption]