Watch out for Android SMS worm that hides in Fake Jio data offers

The fake Jio message is linked to a shared Android Package file which when executed, generates ad revenue, gains access to contacts.
Updated on
April 19, 2023
Published on
May 21, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
A fake “Free 25 GB Jio data” offer has been making the rounds recently. The link in the SMS: http[:]//tiny.cc/Jio-4G expands to a shared Android Package (APK) file over public.boxcloud.com. The APK has 10 activities, 3 services and 1 receiver, in total.   Jio offer When a victim clicks on the link, the app requests the following permissions during the installation:
  • android.permission.READ_PHONE_STATE: Allows the app to access the victim’s phone state, including the phone number, cellular network information, status of ongoing calls, and a list of any PhoneAccounts registered on the device.
  • android.permission.ACCESS_FINE_LOCATION: Allows the app to access precise location.
  • android.permission.ACCESS_COARSE_LOCATION: Allows the app to access approximate location.
  • android.permission.FOREGROUND_SERVICE: Allows the app to use Service.startForeground.
  • android.permission.READ_CONTACTS: Allows an app to read the victim’s phone contacts data.
  • android.permission.SEND_SMS: Allows the app to send SMS messages
  • android.permission.ACCESS_WIFI_STATE: Allows the app to access information about Wi-Fi networks.
  • android.permission.ACCESS_NETWORK_STATE: Allows the app to access information about networks.
  • android.permission.RECEIVE_BOOT_COMPLETED: Allows the app to receive the Intent.ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.
  • com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE: Allows the app to tell if their installation was launched from an ad in Privacy Browser Free.
These permissions allow the app to access the victim’s phone contacts. Once the app has access, it sends the same “Free 25 GB Jio Data offer” SMS to selected contacts who have Jio numbers. Jio fake message The worm uses a POST request to the jio.com recharge endpoint, to determine if the number is a Jio number or not. Only if it is a Jio number, the above message is sent. Code to determine if the number belongs to Jio: identify Jio numbers The message is not sent to all the contacts at once. Instead, using a random integer, the app schedules the messages by adding an arbitrary delay. All this is done without notifying the victim. Code to send the message at random intervals: set random intervals The worm uses this method of propagating itself, and thus the message, to generate advertising revenue. Since the app has multiple accounts for StartAppSDK, depending on when the app is opened, it initializes one of the accounts, and instructs the victim to click the ad, thus generating revenue. Many variants of the same scam have been observed in the past. One such Android worm was found to have 62 different predefined text messages, with links pointing to the Android app. In this case, when a victim clicks on the link, the app gets installed, and then collects their phone number. Then, the user is asked to share the message via whatsapp, with 10 people, to avail the offer. Once the victim has sent the message to 10 people, they receive a notification saying they can now avail the offer. In this way the Android worms are able to generate ad-based revenue.   Example of another offer that uses Jio-Fiber registration to spread Android worms and generate ad revenue. Another Jio scam

Indicators of compromise:

MD5: 000df3a5253be8cec6c7a4b739b75885 SHA1: 8060757caeca9b4f4260d58f335b990ea59340f0 SHA256: fbea91e1673e13e5bc7c1b8a7a98ab5154a8dc21d572ffb479f9c1cbe827112b

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations