My Authors
Read all threads
Android Coronavirus SMS Worm is probably connected to developer from India 🇮🇳 #OSINT (1/8)
.@Spam404Online found another domain (codebeta[.]in) with the same Android SMS Worm hosted (Get Corona Safety Mask) app. (2/8)

Source:
Sample: virustotal.com/gui/file/8a87c…
Based on the Google cache, "codebeta[.]in" in the past offered to users get free 350 Rupees via Paytm.
20 Rs extra if you install the Android app. The app was SMS Spam Trojan. (3/8)

Distributed link: codebeta[.]in/Free350Paytm-2.00.apk
VT(2/62): virustotal.com/gui/file/6eed0…
The "Free350Paytm-2.00.apk" app functionality is to send SMS to all victim contacts with the text:
"Get 350 Rupees Free paytm cash just just by working on your phone. Get 350 daily paytm cash. Download the app - http://www.paytm350 .tk"
Looks like SMS spam. Domain is down (4/8)
All app certificate names are to: "hemant prajapat"

Domain(codebeta[.]in) is registered to: "hemantpr72@gmail.com"

FB page that refers to domain: facebook.com/pages/category… (5/8)
This same email belongs to developer of "Star Rewards" app that was available on Play Store in 2018 (still available on APKPure)
This app also promised free Paytm cash and had the same certificate name (hemantpr72@gmail.com) as registered malicious domain (codebeta[.]in) (6/8)
"Star Rewards" app developer didn't protect user database and because of that it leaks user info.
It contains 76 user info including user name and wallet balance. (7/8)
Conclusion (8/8)

Goal of the apps: SMS Worm/SMS Spam Trojan
All evidence demonstrate that malware developer is most likely from India.

Attacker quickly switched from "get free 350 Rupees" to "get Corona Safety Mask" themed scam to exploit Coronavirus situation.
To clarify, "Star Rewards" app, that was on Play Store, is not SMS Trojan, it's fake app without malicious functionality

This app requires user to sign-up using phone number & password. These data are stored in unprotected database. Because of that, it leaks data of 1,5K+ users.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Lukas Stefanko

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!