.png)
4 months ago
37 BOOK THIS SPACE FOR AD
ARTICLE AD
Recently , one of my family members received a whatsapp message which contained apk file from an unknown number having SBI YONO as DP and named as State Bank of India . The moment I saw that apk file , knew it was sent by a scammer trying to gain access to bank account details.
What’s next ?
My curiosity kicked in , spuned up my VM and downloaded apktool and started the decompilation .
apktool d filename.apkHere First and foremost thing was to analyze the AndroidManifest.xml file(The Android Manifest is an XML file which contains important metadata about the Android app).
One of the best way to know an app malicious intent is by reading this file, The application requires number of unnecessary permissions which is a Big RED Flag include RECEIVE SMS , CALL PHONE ... and so on.
One specific permission was Message Receiver ( in this scenario it was most likely being used to intercept the OTP) once the application boots .
Further investigation led me to encounter obfuscated components within the APK, such as com.example.canagfrabagfgnkfgfdg.google.testing.sbjhiyojhjnuhjhgobajhjnkjhjinn. This obfuscation technique is commonly employed to obscure sensitive information or functionalities, making it challenging to discover their true purpose or origin.
After this , I moved to smali code to look for any hints.
What’s smali code?
Smali is a low-level programming language used to create, edit and analyze Android application bytecode. It serves as an intermediate representation of Android application functionality and is human-readable, though more complex than high-level languages such as Java or Kotlin.
Function:
It retrieves phone number (num) from the database.Then extracts SMS data from the Intent (val$intent).Iterates over the pdus array further converts each PDU into an SmsMessage.Extracts the message body from each SmsMessage.Then it uses SmsManager to send a text message to num with the extracted message body.Logs the received SMS message.Pushes the received message into the Firebase Realtime Database under a new node.This aspect of data was targeted by the scammers which contains everything.
Moving forward , my motive was to search for their exfiltration server which was being used to gather the database.
Okay Now we have got a firebase URL . Now what ?? I asked myself…
After a bit of googling I found that If Firebase is not configured properly we may be able to gain read and write access . To check the read access added /.json at the end of the URL .
And guess what ???
There are tons of data , till date scammers have intercepted 3800 OTPs , access to PAN Card , Aadhaar Card , Card Numbers and what not.
The issuer and subject details were identical which is unusual as issuer in most cases are trusted third party Certificate Authority(CA) . Moreover Certificate validation that too of 1000 years classic scammers mentality :)
Since many people have already fallen victim to this scam, it was essential to report it to cybercrime authorities for further investigation.
Tip to Non-Tech person :
If you are unsure about whether apk file is safe or not just upload that file to Virus Total .
That’s it for now !! I hope this small effort helps make the internet a safer place..
Bengali (Bangladesh) · 
English (United States) ·