# Fake Income Tax Application Targets Indian Taxpayers **[blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/](https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/)** September 7, 2021 Indian taxpayers are being targeted explicitly via mobile applications, phishing emails, and smishing, especially during the pandemic. A variant of a mobile app that impersonates India’s Income Tax Department (IT) was first identified by the McAfee Threat Intelligence team in September 2021. These apps conduct phishing activities and collect sensitive information from their victims. The attacker could later sell this information on cybercrime forums. During our routine threat hunting exercise, Cyble Research Labs came across a [Twitter post covering the](https://twitter.com/prashant_92/status/1434441034109382661) application that masquerades as an official Income Tax department app. The app has a similar icon to that of the IT Department of India and is named iMobile. Cyble Research Labs downloaded the malware samples and performed a detailed analysis. We determined that the malware performs phishing activities to steal Personally Identifiable Information (PII) such as date of birth, PAN number, Aadhaar number, bank account details, and debit card details, including expiry date, CVV number, and PIN. ## Technical Analysis ### APK Metadata Information App Name: iMobile Package Name: direct.uujgiq.imobile SHA256 Hash: 1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56 Figure 1 shows the metadata information of the application. _Figure 1: Metadata Information_ ----- _Figure 2: Application Start Flow_ We have outlined the flow of the application and the various activities it conducts in Figure 2. The application has a similar icon as the IT department of India’s official logo. The application asks the users to allow it as defaults SMS app. Once it becomes the default app, it can handle SMS data. The application asks users to input credentials like PAN number and registered mobile number. The application asks users to input bank account details including debit card information. The application also asks for Internet Banking credentials. Upon simulating the application, it requests that users make it their default SMS app, and then the application proceeds with its malicious activity. Refer to Figure 3. ----- _Figure 3: Asks for Default SMS_ _App Permission_ Figure 4 shows the malware pretending to be the official Income Tax app from India’s Income Tax department. We can also see that the app is asking for credentials such as PAN number and mobile number. ----- _Figure 4 Asks for IT_ _Credentials_ The next page of the application directs users to a portal where they are prompted to enter their bank account and debit card details. Refer to Figure 5. ----- _Figure 5 Asks for User’s Banking Details_ The application also uses a fake internet banking login page and requests users to enter their credentials, as shown below. _Figure 6 Asks for_ _Netbanking Credentials_ ----- ### Manifest Description **iMobile requests twenty-six different permissions, of which the attackers could abuse seven. In this** case, the malware can: Collect SMS data. Read the information of device such as usage history and statistics. Receive and send SMSs. We have listed the dangerous permissions below. **Permissions** **Description** READ_SMS Access phone’s messages. BROADCAST_STICKY Allow the application to communicate with other apps. These broadcasts happen without the user’s knowledge. DISABLE_KEYGUARD Allows applications to disable the keyguard. PACKAGE_USAGE_STATS Provides access to device usage history and statistics. READ_PHONE_STATE Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. RECEIVE_SMS Allows an application to receive SMS messages. SEND_SMS Allows an application to send SMS messages. _Table 1: Permissions’ Description_ Upon reviewing the code of the application, the launcher activity of the malicious app was identified, as shown in Figure 7. _Figure 7 Launching Activity_ The permissions and services defined in the manifest file that were identified have the ability to replace the default Messages app. This app will then be able to handle sending and receiving SMSs and MMSs. Refer to Figure 8. ----- _Figure 8 Handles SMS and MMS_ Figure 9 represents that the malware has defined customized services that use the BROADCAST_WAP_PUSH service. Through this service, an application can broadcast a notification that a WAP Push message has been received. _Figure 9 Using Broadcast WAP Push Permission_ Threat Actors (TAs) may abuse this service to create could false MMS message receipts or replace the original content with malicious content. Google has instructed that it is not for use by third-party **applications.** Figure 10 represents that the malware has defined customized services that leverage the permission SEND_RESPOND_VIA_MESSAGE. This permits the application to send a request to other messaging apps to handle respond-via-message action during incoming calls. _Figure 10 Using Send Respond VIA Message_ ### Source Code Description The application uses the permission that is defined in Figure 8 to send SMSs. Upon allowing the application to replace the default messaging app, it can also read incoming messages. Refer to Figure 11. ----- _Figure 11 Sending SMS_ The below code shows one of the multiple deobfuscation method used by the malware, which leverages a simple cipher substitution. All strings are decoded using distinct classes, with each class having a unique table value. Refer to Figure 12. _Figure 12 Deobfuscation Method_ During our traffic analysis, we observed that the malware is uploading the banking details, including account numbers and debit card details such as card number, expiry date, CVV, and PIN to the Command and Control (C2) server hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php. Refer to Figure 13. ----- _Figure 13 Banking Details Being Uploaded to the Server_ Figure 14 demonstrates that the malware is uploading internet banking credentials to the server. _Figure 14 Internet Banking Details Uploaded to the Server_ The below image shows that the malware has hardcoded data, i.e., a mobile number originating from India. _Figure 15 Hardcoded Data_ ## Conclusion The Threat Actors behind malicious applications constantly adapt and use various sophisticated techniques to avoid detection and target users. Such malicious applications masquerade as legitimate applications to trick users into installing them. Users should only install applications from the official Google Play Store to secure themselves from attacks such as these. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: Download and install software only from official app stores like Google Play Store. ----- Ensure that Google Play Protect is enabled on Android devices. Users should be careful of the permissions they are enabling. If you find this malicious application on your device, uninstall, or delete it immediately. Use the shared IOCs to monitor and block the malware infection. Keep your anti-virus software updated to detect and remove malicious software. Keep your Android device, OS, and applications updated to the latest versions. Use strong passwords and enable two-factor authentication. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Execution** [T1204.002](https://attack.mitre.org/techniques/T1204/002) User Execution: Malicious File **Defense Evasion** [T1418](https://attack.mitre.org/techniques/T1418) Application Discovery **Credential Access** [T1412](https://attack.mitre.org/techniques/T1412) Capture SMS Messages **Discovery** [T1087](https://attack.mitre.org/techniques/T1087) Account Discovery **Impact** [T1565](https://attack.mitre.org/techniques/T1565/) Manipulation ## Indicators of Compromise (IOCs) **Indicators** **Indicator** **type** **Description** **1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56** SHA256 Malicious APK **hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php** URL C2 ## About Us [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from](https://cyble.com/) cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit [https://cyble.com.](https://cyble.com/) -----