Analysis of Fake Application and Phishing Campaign in Turkey

Posted on

Hi, there! While watching videos on Youtube, I saw a Google advertisement which one of wrote a well-paid job. That seemed interesting and weird. The advertisement was about an android application on Google Play. Let’s take a look at this phishing campaign in the Turkey.

App and File Information from MobSF:

App Informations from MobSF
File Informations from MobSF

First of all, we will look at the Main method called “MainActivity” for Android Apps. You can see the application controls for messaging apps. Our fake application controls the installed applications, then it will use this information for relocate to this application for contacting with them.

Controls the app and initialize the “c” variable:

C variable cases

Simple Algorithm: Change str3 variable and choose the package name via c value. Then call the chat function with this package name.

Choosing the messaging application

While reading the code, I saw a few device controls like language, location or country and an IP address for loading page in the fake app.

initData Function and Device Controls

The application controls the information of device, later that if your device language is “Turkish” or your country is Turkey, the application shows the real page from this IP address. But if your language is different, you will see the fake application intents.

aid parameter -> Language (Changes the web page language)

pkg parameter -> package name

Fake Application İntent:

Fake App

Real Phishing Site (after changing the language settings):

Real Phishing Page (with Android Phone)

If you want to see the real page, you can visit the URL in the code.

Weird sentence, why anyone pay a lot of money without any knowledge? And you must do only one thing, that is nothing 😀

Sentences for influencing people for well-paid jobs

Example fault in the sentence:

An example fault in the sentence

If you click the Whatsapp icons or texts, you will be redirected to messaging app, with our first read “MainActivity” code. And you can see the Whatsapp Business Acc and used name.

Phone Number for Phishing or Vishing
A Known Company Name for Campaign

While researching, I tried to find different informations about this IP address. You can see the related domains via AlienVault OTX.

Related Domains – 1
Related DNS Info – 2

Whois informations:

Whois

Zoomeye:

Zoomeye Information for IP Address

The IP address which we found, located in China and you can see the Chinese names, and If you try to reading the js code in the page, you can see the Chinese language.

To conclude, this one is a simple campaign and simple fake phishing app for understanding the what’s going on, and if you try to scan this application, security solutions won’t find any risk or malicious behavior.

IP Addr Result:

Virustotal Result for IP Address

APK Result:

Virustotal Result for APK File

Please be carefull and don’t trust these like advertisements and applications. Thanks for your time and interest.

Berk KIRAS