1/10 Rosa Scam and Malicious APK targeting Malaysian: MyMaidKL Technical Analysis notes.netbytesec.com/2022/05/scam-and-malicious-apk-targeting.html This post was authored by Taqi and Rosamira Overview NetbyteSEC malware analyst team came across a malicious application packaging kit (APK) file that is targeted on Malaysian Android users. The sample was received by our team containing the details below.     MD5 Hash : e58ffc4e23292d80916b0e19c184cdef        Filename : 5_6172262213630297202.apk     File Type :  Application Packaging Kit (APK)     App Name : MY Maid     Package Name : com.example.bio     Main Activity : com.example.bio.MainClass     Android Version Name : 1.0     Android Version Code : 1 Table 1: Detail of the malicious APK This Android application is embedded with certain code of malicious intents and permission. The NetbyteSEC malware analyst team observed that the application contains malicious classes such as SMS receivers. Victim’s messages will be intercepted when the device is receiving messages and sent to the attacker domain. https://notes.netbytesec.com/2022/05/scam-and-malicious-apk-targeting.html https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5-2PW9b_-LpBUIwQnoeAd8YMEbXllH96MQ3WJRg66mZ4B5IyV9mggi7GETdJdP3vr21wgec39NG_hkfyWP6m_bJVvgTF_SBWlsDXKCFPZ-pK4_DIYliDVmcBlFc6-AoM5XhiuZYTU4TRlrYTC_qzOgha1cRFDdfZ_RSS-g0n_bLwLvU0zJl-JR31iIg/s1522/mymaidkl.jpg 2/10 Figure 1: Overview modus operandi of MY Maid scam that is being targeted to   Malaysian victims. Victims saw MyMaidKL from a Facebook advertisement which said that there is Hari Raya Promotion for everyone to grab an offer for cleaning service. After the victim saw the ads from FB, they chatted with the scammer for further information. The scammer asks customers to book an appointment through their android application. The victim navigates to https://mymaidkl[.]com to download the APK file. Then, the APK file is downloaded to the victim's phone and the victim installs the apps. Upon installing the malicious application, victims will be prompted to give RECEIVE_SMS permission to the malicious application. In the application, victims will make payments on a fake online payment system website and their banking credentials are sent to the attacker. From here, attackers receive banking credential information and read the victim's SMS which potentially reads the TAC code. Attackers then make illegal transactions after receiving the victim's credentials.   https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA2dWi2qezC4lm-HxEielRaOYafOKwgHbloGP03KaPkYtrSLAmUbiRpt8a57XWvaphXkRXD_ADHJpDAVfSFZ_usv8KXgRX09Tuvv4ZVF1w2lOfVbgHeg89Sb76ud0FDgda_4svm8DEYfKXVPBGRoRom3KG3tT94BoygCuKtWII8p-EfWtM8NxfIRsp/s701/mymaid.jpg https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTER7iAFUgSJIx8FQT9xbsmg9TNBhr8-psfjLJA_jIHGADfBlCzKXSHH5DEslZU4Ugzl-Gc5k6G1Jpd0qMdrDJUklAcO8DawmF_hysAc6k0oR_e-WNy_l5KMsNwY5LccAIWwayPlP_B-jSwoGSCq5bi2LZs1pOXhZ3WR4RXK4p2oA7UAiU9N-c7Gn1/s1823/mymaid2.jpg 3/10 https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTER7iAFUgSJIx8FQT9xbsmg9TNBhr8-psfjLJA_jIHGADfBlCzKXSHH5DEslZU4Ugzl-Gc5k6G1Jpd0qMdrDJUklAcO8DawmF_hysAc6k0oR_e-WNy_l5KMsNwY5LccAIWwayPlP_B-jSwoGSCq5bi2LZs1pOXhZ3WR4RXK4p2oA7UAiU9N-c7Gn1/s1823/mymaid2.jpg iweayu i ee ee 0 ee 2 ee ee Grab your offer now with as low as RM20 now ! We will supply the best cleaner to your place. All cleaning tools will be provided and most importantly FREE sanitisation after work done. & #housekeeping #cleaning #maidcleaning #maid #homecleaning #springcleaning #carpetcleaning #deepcleaning #promotion #cleaner #professional #firsttrial #work #sanitise Make your booking now https://wa.link/ofqdyn Grab Your 50%" For First Trial Package 50% Promotion For New User Cleaning Tools Provided Well-trained Cleaners Free Sanitisation After Cleaning Order Now With RM20 Only! 3/10 4/10 Figure 2: MyMaidKL from a Facebook advertisement  (Source: https://twitter.com/Fiqqq_ahmad/status/1520200146700566528? s=20&t=4e60yr_fLurrumxg5ofjlA)   In this case here, mobile banking application users have been targeted by phishing scam messages which aim to trick victims into allowing receiving SMS permission to the malicious app after the victim installs the application file from https://mymaidkl[.]com. Figure 3: MY Maid application packaging kit flow of execution on victim devices. The malicious mechanism of the application are listed below: a) Force the application to allow receiving messages from the victim's devices. The application will be able to read received messages for the victim devices and send them back to the attacker server b) Send victim to customize MYMaid website which is used for phishing Analysis Website Analysis https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTER7iAFUgSJIx8FQT9xbsmg9TNBhr8-psfjLJA_jIHGADfBlCzKXSHH5DEslZU4Ugzl-Gc5k6G1Jpd0qMdrDJUklAcO8DawmF_hysAc6k0oR_e-WNy_l5KMsNwY5LccAIWwayPlP_B-jSwoGSCq5bi2LZs1pOXhZ3WR4RXK4p2oA7UAiU9N-c7Gn1/s1823/mymaid2.jpg https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiykzjZBs21thA4-D98zIJOdVT1uSUqLt1JiwH8QvuFBobx0LZd4bEEnSrtsIoNCeEAy-9ac6oPytnQuFJ2qlCWjdzp9u0xA6xc-9hzYotThAke4wfgYiThjU5N3fzJ3xdf8FxvxNWkYmr0guxP4wc7nMM0AIjgGFl5xQXvOvijEozIZhwMt2cvCQor/s940/1.png 5/10  Figure 4: Landing page of MY Maid website   Upon landing on the website, victims will be browsing a very legitimate-looking website providing maid service in Malaysia. The website https://mymaidkl[.]com is being hosted using WordPress CMS can be seen providing a WhatsApp quick chat link when inspecting the view-source of the page.    Figure 5: Website containing contact scammer through WhatsApp.   The number that is being used, 0172675873, can be contacted and still available.   https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVWMlfbyWJwcmpUznCtruRMojfebtVPRmnL6vpdm0WsxsNKcye1hudXNiTlDtzgBGNxgduOjilPYNfJkw8AnrA-LgzaMlBDcuWYA4DS-AnZnJxK3igW-N5uWn2a9WQFUXeW7lQNbP12f-ZTWQydk9ZetnhrUM3C8ETfCAstUroq3_ZKpJi4v93RxJL/s1350/2.png https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigpxBKNR6ZLqYCpGZ2Xf08DpKpkrYSAt8h47xM5qJrx1mGxb3cIkqFCTLpZ2l87Zamm-GzspgQwIqkfHp5qo1B2Wx6gFQ1KL4lwIWBj9oAqAx2MqecPzEKjyNhvy4jOb6vK43pjsCUz_TZvatxPHfVEqw4mbm5zEJNU7jD8LwBuw5mR-wf20mOQXT9/s732/3.png https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6SiAcZMHcq0Z-jAhU6hEHxGvyObWH87SSrba6f1Dc0XZ99E2IOmJA4jxTJ3lnlnUzu59dpRlb2p4FjfYLf1gRtVzut0R38NodHmfzsQnSzNZOGssuHL2ofsXR_k94FJv-gKB9oUTIb5xYjXzHi50ThBBA5W40nlXqa15_4GJF_xuveOynazotwV4c/s940/4.png 6/10 Figure 6: Website hosting malicious apk that should be downloaded by victims   NetbyteSEC malware analyst team determined that the website hosted the malicious APK in the website, so the victim will download and install the file on their devices. After downloading the APK, victims have to install the APK, in order to purchase the maid services provided. NetbyteSEC malware analyst team generated a static analysis report for the APK file to find the information about how the app connects to its backend, which can be used to perform attacks against the application server. From the static analysis, we are also able to understand the app’s permissions and intents, and other components that control how the app shares data with other apps and interacts with the operating system.    Static Analysis   NetbyteSEC malware analyst team begin the analysis by investigating the resources directory of the APK file. In the folder, the most important files that need to be analyzed are the Manifest file which is named AndroidManifest.xml, and classes.dex file which contains the DEX bytecode that is decompiled under the “Source Code” tab, and the assets/folder which contains any other files or dependencies that the APK may need to be run. In AndroidManifest.xml, the NetbyteSEC malware analyst team starts to identify any of the application entry points described in the Application Entry Point section.   https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_khrvLPGp0K2MYHXA0-0UrvooZ0d3i_0RfoMlz9g3Oc2Z7u5xlqCUsZffNDBjMC3WfrsBOFbDWfEEojtc8ta254WRwPDZi2Poao9j1w6xxbUgszxfZX3dFojZuz0XHOQGIpNiGJncTneGwje-0ffqxdKTmO7HX1Pc4Yhgmbzyuzx721x3sWh7-YSE/s940/5.png 7/10 Figure 7: AndroidManifest.xml of MY Maid application.   Looking through the manifest file, NetbyteSEC malware analyst team able to        see that the application has requested the android.permission.INTERNET permission and android.permission.RECEIVE_SMS from figure 7, which allows the application to create network sockets and listen to the message received by victim devices.    Figure 8: Permissions requested by the application This is a hard restricted permission which cannot be held by an application until the installer on record whitelists the permission. Android Permissions Description android.permission.INTERNET       Allows an application to create network sockets android.permission.RECEIVE_SMS Allows application to receive and process SMS messages. Malicious application may monitor your messages or delete them without showing them to you. There is an intention that was declared in the manifest file which is unusual for a streaming app as it is not related to streaming services.  https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidO2n3nly0HytejkcdG-oNVwz7RQf_5pE0fshrOTvDYSS347NVwHu9yQDHhlszX9eM_intvw9Ke8uPRYGNow7v0m0ZgNBRwCrzhBvk1aUJWSAfxxK1-0QSxgZDJarZoQEJ-4chYVIj-UqU2Lgsj3FtDUNq4KIHYXYwXg1PCeCBCG1PhY7dZjIrYUah/s1660/NEW8.PNG https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0D5nRisG7sXIsciolQUazyMV_7_EvtfKIG1jZIOfcGjrv8ukH5YFfs4dDu-S7smyw7DGWSBCE8KWiaIRtLq0AnUZ6lC8rBGqjt10L_NSQa-iB1_hcS7FSbRYY_9MUnqTb5hqcyYr2D0JziN4uUWUUo0NFdeUMYCU6Zsc05Anp9WE51C4kHASuRmnv/s1110/NEW7.png 8/10 Figure 9: Anomaly activity that being used by the malicious APK, ReceiverClass and MainClass      Figure 10: com.example.bio.MainClass Based on the figure above, NetbyteSEC malware analyst team concluded that the main class will request SMS accessibility of the device using android.permission.RECEIVE_SMS.  Figure 11: com.example.bio.MainClass Figure 10 shows that the application tried to request permission before proceeding to the main page, which would be the landing page of the phishing website. If the permission is not given, the message will pop up “Please allow SMS before or reinstall the app”. https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5rj4-uoH-WA8DcY1UZ7jccWNdTg_k7Y9qFmE2Je8nB5y9YIS6h7XrettnPq6hMSnihvy_Ll5Ed0wgvaQ8rq2dzMYtDGll3eLfiTkm6p6gpv2ruVeeI-46R8rhbW-1_Aa4Sht13qZKWZFzTGSOHwCzWDD7W9ET5AuT03OvzGu2Xc2Z07ZsP-i17zOQ/s1050/NEW9.PNG https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjugO2WghD4tKzrXUzn9-GrDNaVs7PCUTfhMvyYkF6b7YqUBb4YCyUqM4oFzPje6RFrF22TJhEshCdT5riAm2T-DWpkU0hkdztgA5cihyiNNk-bsmlErgm4DnyFMjhUcmsOxAEMgfqIDoXvPFH70r5DhYLspcnYG-NThvGxGXQXyqdOcl7wkycUghz9/s1438/NEW6.PNG https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdg04Bom1bZMqKVE-0MDgTKis0UdcaIFiDZ-qBinCuhevCGSTMm4kp1b0WCBoqrznZiul-h3_fRkEhNqHnMGQtWi8TgwWFs6BXO3Rk2vh3v6epCBx4mViZGS6MNFcZHChKLMZ1uduXhBciwzdYnkdIu9G9xnR31qberOlwByXI8TQ3uHTF28VZzHF2/s1262/NEW5.PNG 9/10 Figure 12: com.example.bio.MainClass After the victim allows the permission, the application will send a request to the attacker domain containing a specific parameter. One of the table parameters is dID parameter which uses the ID of the victim device , as line 37 from figure 11. This is related to the figure below, ReceiverClass which will be explained later. After allowing the permission, the victim will be redirected to the website page of https://mobile666.mymaidkl[.]com. The attacker do further phishing on specific which will be used to manipulate the victim submitting their sensitive information online.  Figure 13: com.example.bio.ReceiverClass On this figure, ReceiverClass is set up in order to obtain any message that is received by the victim device. In line 28, NBS team conclude that whenever a message was received, this function will be triggered and the content of the SMS message will be read by this application.   https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWJYLKXl2Bdm1FNM4U2mjQ-xsofUJcM-ew6TyP8KGTEvxiP8ZOxw3U3uCT-aA_e3V1UGiZLP97abRfIqb0eGUgmdXo4RK8Rgdybm1LpwhTRrX7hQwJCPn2etRF95YPrv6ZwWVGgoVgySOpo3VZkTxKtxeR8qAFOE7MZSM0WvPUCbbj7XLQ-LwLUuEu/s1621/new3.PNG https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinzg6bq1FeN2eXChTj-3J_51iQemiHfgke24vF5GQK9TyAHtnzPlxBK4No7hUYhQs2bFSKYJ0YmuthTndjTLP5dEifCOYvy53CFCWn6olu8xFaZ0nWust7fbSH_lkWwmZnWoXKWPVItnAc_yDa8atKSuVsYLL6zr1KKbvsBoPj-kCu5RBdy26HZE5I/s1750/new.png 10/10 Figure 14: com.example.bio.ReceiverClass  After the attacker receives the message from the victim, the application will compile the message in JSON format along with some other information like the ID of the device. Then, SMS_Received will broadcast to the website https://api.lapubo[.]com/SNSDBBSJN/ISSASDS . The attacker will synchronize the data from the C2 server and the phishing server by the ID of the message, which will be the Android ID of the victim device. Conclusion NetbyteSEC malware analyst team concluded that the android application sample contains malicious code. The start from the boot up through android.permission.RECEIVE_SMS permission. Then the malicious android application will request to have permission that can access the victim SMS messages. Upon receiving any SMS message, the application will read the message and pack the message in json format, then will send the packet to their C2 server along with the other data. IOC e58ffc4e23292d80916b0e19c184cdef +60172675873 https://api.lapubo[.]com https://mymaidkl[.]com https://mobile666.mymaidkl[.]com https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqfp1OfCfClKbfIpxAisTEElqz3mNqAwL08z2_2aGTYeJSrk8kUZsf2me-waCD-b5uiNCHOhx2LJkWh_I633hnvlF8IEAmIZpLyFEQD4-6fTzYSTbP11KxkI2Q_3hG8K-I3tVviSADddoi9dJCH-a01c58FTFkcoW5IZ5zBfmHC-kd1YGkJusDXJhY/s1560/new4.png