An Android malware campaign is targeting Indian users through fake traffic e-challan messages on WhatsApp, according to cybersecurity company CloudSEK. Scammers are sending fake e-challan messages impersonating the Parivahan Sewa or Karnataka Police to trick victims into installing a malicious app that steals personal information and facilitates financial fraud.
The malware, identified as part of the Wromba family, has infected over 4,400 devices and led to fraudulent transactions exceeding Rs 16 lakh by just one scam operator. There are many scammers using similar malicious malware to cheat users, CloudSEK said in a press release.
CloudSEK researchers identified the attackers as Vietnamese, based on conversations and IP addresses traced to Bắc Giang Province in Vietnam.
"Vietnamese threat actors are targeting Indian users by sharing malicious mobile apps on the pretext of issuing vehicle challan on WhatsApp. Once installed the app extracts all the contacts to scam more users. The app also forwards all the SMSes to the threat actors thus allowing them to login to various e-commerce and financial apps of the victim,” said Vikas Kundu, threat researcher at CloudSEK.
Attackers distribute the malware through WhatsApp messages claiming to be traffic violation fine notices. Clicking the link within the message led to the download of a malicious APK disguised as a legitimate application. Once installed, the malware requested excessive permissions, including access to contacts, phone calls, SMS messages and the ability to become the default messaging app.
Once installed, the malware steals and forwards data to a Telegram bot controlled by the attackers. As the malware compromises a device, it intercepts OTPs and other sensitive messages, enabling attackers to log in to victims' e-commerce accounts, purchase gift cards and redeem them without leaving a trace. The attackers use proxy IPs to avoid detection and maintain a low transaction profile to evade fraud detection mechanisms.
According to the report, to date, 4,451 devices have been infected. Attackers have accessed 271 unique gift cards, conducting transactions worth Rs 16.31 lakh. Gujarat has been identified as the most affected region, with 40.4% distribution of the victims of the Android trojan malware, followed by Karnataka at 26.8%.
The malware hides itself in the device's settings, making it difficult to detect, and the code is heavily obfuscated using AES encryption to evade analysis, the report said.
The report made some recommendations for mitigation of the threat:
Use reputable software to detect and remove malicious apps.
Limit app permissions and regularly review them.
Only install apps from trusted sources like Google Play Store.
Keep the device's operating system and apps up to date.
Use tools to monitor and alert on suspicious SMS activity.
Enable alerts for banking and sensitive services.