Express Computer
Home  »  News  »  Vietnamese Hackers Using ‘Maorris Bot’ To Fuel WhatsApp E-Challan Scam In India: CloudSEK

Vietnamese Hackers Using ‘Maorris Bot’ To Fuel WhatsApp E-Challan Scam In India: CloudSEK

0 93

CloudSEK, a leading cybersecurity company, has exposed a highly technical Android malware campaign targeting Indian users through fake traffic e-challan messages on WhatsApp.

Scammers scare their targets by sending fake e-challan messages impersonating the Parivahan Sewa or Karnataka Police to trick victims into installing a malicious app that steals personal information and facilitates financial fraud. The malware, identified as part of the Wromba family, has infected over 4,400 devices and led to fraudulent transactions exceeding Rs. 16 lakhs by just one scam operator. There are many scammers using similar malicious malware to cheat users.

Modus Operandi

CloudSEK researchers found that attackers distributed the malware through WhatsApp messages claiming to be challan (traffic violation fine) notices. Clicking the link within the message led to the download of a malicious APK disguised as a legitimate application.

Once installed, the malware requested excessive permissions, including access to contacts, phone calls, SMS messages, and the ability to become the default messaging app.

As the malware compromises a device, it intercepts OTPs and other sensitive messages, enabling attackers to log in to victims’ e-commerce accounts, purchase gift cards, and redeem them without leaving a trace. The attackers use proxy IPs to avoid detection and maintain a low transaction profile to evade fraud detection mechanisms.

A fraudulent WhatsApp message is being used to deliver the malicious APK

Key Findings:

Malware Distribution:

Threat actors distribute a malicious .apk file through WhatsApp, posing as Karnataka police issuing fake challan messages.

The malware requests extensive permissions during installation, including access to contacts, SMS messages, and device information.

Data Theft and Analysis:

Once installed, the malware steals and forwards data to a Telegram bot controlled by the attackers.

Impact:

To date, 4,451 devices have been infected.

Attackers have accessed 271 unique gift cards, conducting transactions worth Rs 16,31,000.

Gujarat has been identified as the most affected region, followed by Karnataka.

Geographical distribution of the victims of the Android trojan malware

Technical Details:

Persistence: The malware hides itself in the device’s settings, making it difficult to detect.

Encryption: The code is heavily obfuscated using AES encryption to evade analysis.

Data Exfiltration: The malware forwards stolen data to Telegram, using Firebase buckets for additional configuration settings.

Modus Operandi:

Data Compromise:

Attackers gain access to victims’ phone numbers and SMS messages.

They log into victims’ e-commerce and payment apps using intercepted OTPs.

Gift cards are purchased and redeemed to avoid direct fund transfers.

Operational Insights:

Researchers identified the attackers as Vietnamese, based on conversations and IP addresses traced to Bắc Giang Province in Vietnam.

An overview of the whole modus operandi

“Vietnamese threat actors are targeting Indian users by sharing malicious mobile apps on the pretext of issuing vehicle challan on WhatsApp. Once installed the app extracts all the contacts to scam more users. The app also forwards all the SMSes to the threat actors thus allowing them to login to various e-commerce and financial apps of the victim. From where they siphon off the money in the form of gift cards,” said Vikas Kundu, Threat Researcher, CloudSEK.

Mitigation Recommendations:

Antivirus and Anti-Malware: Use reputable software to detect and remove malicious apps.

App Permissions: Limit app permissions and regularly review them.

Trusted Sources: Only install apps from trusted sources like Google Play Store.

Updates: Keep the device’s operating system and apps up to date.

SMS Monitoring: Use tools to monitor and alert on suspicious SMS activity.

Account Alerts: Enable alerts for banking and sensitive services.

Education: Raise awareness about the risks of unverified apps and phishing attempts.

CloudSEK urges users to stay vigilant and adopt security best practices to protect against such malware threats. By maintaining updated systems and being cautious about app permissions, users can reduce their risk of infection.

Get real time updates directly on you device, subscribe now.

Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image