Hi, there! While watching videos on Youtube, I saw a Google advertisement which one of wrote a well-paid job. That seemed interesting and weird. The advertisement was about an android application on Google Play. Let’s take a look at this phishing campaign in the Turkey.
App and File Information from MobSF:
First of all, we will look at the Main method called “MainActivity” for Android Apps. You can see the application controls for messaging apps. Our fake application controls the installed applications, then it will use this information for relocate to this application for contacting with them.
Controls the app and initialize the “c” variable:
Simple Algorithm: Change str3 variable and choose the package name via c value. Then call the chat function with this package name.
While reading the code, I saw a few device controls like language, location or country and an IP address for loading page in the fake app.
The application controls the information of device, later that if your device language is “Turkish” or your country is Turkey, the application shows the real page from this IP address. But if your language is different, you will see the fake application intents.
aid parameter -> Language (Changes the web page language)
pkg parameter -> package name
Fake Application İntent:
Real Phishing Site (after changing the language settings):
If you want to see the real page, you can visit the URL in the code.
Weird sentence, why anyone pay a lot of money without any knowledge? And you must do only one thing, that is nothing 😀
Example fault in the sentence:
If you click the Whatsapp icons or texts, you will be redirected to messaging app, with our first read “MainActivity” code. And you can see the Whatsapp Business Acc and used name.
While researching, I tried to find different informations about this IP address. You can see the related domains via AlienVault OTX.
Whois informations:
Zoomeye:
The IP address which we found, located in China and you can see the Chinese names, and If you try to reading the js code in the page, you can see the Chinese language.
To conclude, this one is a simple campaign and simple fake phishing app for understanding the what’s going on, and if you try to scan this application, security solutions won’t find any risk or malicious behavior.
IP Addr Result:
APK Result:
Please be carefull and don’t trust these like advertisements and applications. Thanks for your time and interest.
Berk KIRAS