Vietnamese Hackers Using ‘Maorris Bot’ To Fuel WhatsApp E-Challan Scam In India: CloudSEK

CloudSEK, a leading cybersecurity company, has exposed a highly technical Android malware campaign targeting Indian users through fake traffic e-challan messages on WhatsApp.

Scammers scare their targets by sending fake e-challan messages impersonating the Parivahan Sewa or Karnataka Police to trick victims into installing a malicious app that steals personal information and facilitates financial fraud. The malware, identified as part of the Wromba family, has infected over 4,400 devices and led to fraudulent transactions exceeding Rs. 16 lakhs by just one scam operator. There are many scammers using similar malicious malware to cheat users.

Modus Operandi

CloudSEK researchers found that attackers distributed the malware through WhatsApp messages claiming to be challan (traffic violation fine) notices. Clicking the link within the message led to the download of a malicious APK disguised as a legitimate application.

Once installed, the malware requested excessive permissions, including access to contacts, phone calls, SMS messages, and the ability to become the default messaging app.

As the malware compromises a device, it intercepts OTPs and other sensitive messages, enabling attackers to log in to victims’ e-commerce accounts, purchase gift cards, and redeem them without leaving a trace. The attackers use proxy IPs to avoid detection and maintain a low transaction profile to evade fraud detection mechanisms.

A fraudulent WhatsApp message is being used to deliver the malicious APK

Key Findings:

Malware Distribution:

Threat actors distribute a malicious .apk file through WhatsApp, posing as Karnataka police issuing fake challan messages.

The malware requests extensive permissions during installation, including access to contacts, SMS messages, and device information.

Data Theft and Analysis:

Once installed, the malware steals and forwards data to a Telegram bot controlled by the attackers.

Impact:

To date, 4,451 devices have been infected.

Attackers have accessed 271 unique gift cards, conducting transactions worth Rs 16,31,000.

Gujarat has been identified as the most affected region, followed by Karnataka.

Geographical distribution of the victims of the Android trojan malware

Technical Details:

Persistence: The malware hides itself in the device’s settings, making it difficult to detect.

Encryption: The code is heavily obfuscated using AES encryption to evade analysis.

Data Exfiltration: The malware forwards stolen data to Telegram, using Firebase buckets for additional configuration settings.

Modus Operandi:

Data Compromise:

Attackers gain access to victims’ phone numbers and SMS messages.

They log into victims’ e-commerce and payment apps using intercepted OTPs.

Gift cards are purchased and redeemed to avoid direct fund transfers.

Operational Insights:

Researchers identified the attackers as Vietnamese, based on conversations and IP addresses traced to Bắc Giang Province in Vietnam.

An overview of the whole modus operandi

“Vietnamese threat actors are targeting Indian users by sharing malicious mobile apps on the pretext of issuing vehicle challan on WhatsApp. Once installed the app extracts all the contacts to scam more users. The app also forwards all the SMSes to the threat actors thus allowing them to login to various e-commerce and financial apps of the victim. From where they siphon off the money in the form of gift cards,” said Vikas Kundu, Threat Researcher, CloudSEK.

Mitigation Recommendations:

Antivirus and Anti-Malware: Use reputable software to detect and remove malicious apps.

App Permissions: Limit app permissions and regularly review them.

Trusted Sources: Only install apps from trusted sources like Google Play Store.

Updates: Keep the device’s operating system and apps up to date.

SMS Monitoring: Use tools to monitor and alert on suspicious SMS activity.

Account Alerts: Enable alerts for banking and sensitive services.

Education: Raise awareness about the risks of unverified apps and phishing attempts.

CloudSEK urges users to stay vigilant and adopt security best practices to protect against such malware threats. By maintaining updated systems and being cautious about app permissions, users can reduce their risk of infection.