{
	"id": "76a10e72-f657-4d7f-84bf-4f005929a43e",
	"created_at": "2026-04-06T00:19:22.776585Z",
	"updated_at": "2026-04-10T03:30:33.855253Z",
	"deleted_at": null,
	"sha1_hash": "e07a478575428ee2b39da8e535c2a8fabab3430c",
	"title": "Jamba superdeal: helo sir, you want to buy mask? - corona safety mask sms scam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3123907,
	"plain_text": "Jamba superdeal: helo sir, you want to buy mask? - corona safety\r\nmask sms scam\r\nBy f0wL\r\nPublished: 2020-03-20 · Archived: 2026-04-05 16:14:56 UTC\r\nFri 20 March 2020 in Mobile\r\nAs if there wasn't enough pain and suffering in the world already because of COVID-19 some criminals still try to\r\npiggyback on the fear of others. A quick look at an Andorid SMS \"Worm\".\r\nSince the current COVID-19 outbreak is getting masively taken advantage of by various cybercriminals I thought\r\nit would be a good opportunity to try out Android reverse engineering. Let's dive right in:\r\nThe following dynamic part of this analysis was done in VirtualBox with the most recent Version of Android-x86.\r\nFor those playing along at home: The Setup is really simple (as Live Booting is sufficient). Just remember to\r\ncrank up the Video Memory, change the Graphics Controler to VBoxVGA and enable 3D Acceleration as\r\notherwise the VM will only boot to a command prompt.\r\nhttps://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html\r\nPage 1 of 7\n\nDuring the installation process there are no permissions to be granted to it.\r\nBefore finishing the installation there is a Google Play Protect warning already. I'm not sure if this is a signature\r\nbased detection or actually based on the expected behaviour while parsing the package. I'll install it anyway.\r\nhttps://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html\r\nPage 2 of 7\n\nAfter opening \"Corona Safety Mask\" for the first time it will ask for the permission to access the user's address\r\nbook.\r\nAnd secondly it requires the permission to send SMS messages as well. This should be a red flag to users in\r\ngeneral if the request is made without any notice as to why this permission is required (e.g. a second factor\r\nauthentication). Scams like this can get very expensive for the user which is probably also one of the major goals\r\nof this malware.\r\nBelow you can see the main (and only) view of the app. Questionable content, more typos... red flags everywhere,\r\nbut some people might just be desperate enough to fall for it.\r\nFor static analysis of the apk File I'll be using jadx-GUI. Below you can find the Github Repository.\r\nIt works very well for my purposes here and it even has a dark mode 😎\r\nhttps://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html\r\nPage 3 of 7\n\nUpon tapping the \"Get Safety Mask\" button in the app it will direct you to a second website called Masksbox\r\nwhich might be part of a larger scam setup.\r\nWhen I visited the page this morning it was displaying this downtime message. A quick check via archive.org\r\ndidn't return a recent snapshot of the page.\r\nA few hours later the website was back up with a partialy configured Wordpress CMS. The Navbar makes it quite\r\nobvious that the page is still being built.\r\nhttps://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html\r\nPage 4 of 7\n\nOf course there can't be a malware sample without at least one funny typo. Here we can also see that the app is\r\nusing the EasyPermissions wrapper library to handle contacts and SMS functionality.\r\nThis section of the code is responsible for reading the contents of the victims address book and writing them to a\r\nlist.\r\nDepending on the size of the contacts list it will either start at a random index and work its way up if there are\r\nover 100 contacts in the list or it will just send a SMS to all contacts if there are less than 100 in the list.\r\nhttps://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html\r\nPage 5 of 7\n\nLastly we can take a look at the signature of the APK. It was signed with the CN \"Hemant Prajapat\", but that is a\r\nfake name for sure. Other than that there's not much interesting info to get from this.\r\nAnd that's it! In times like this it is especially important to keep your means of communication safe, so better be\r\nextra careful. Stay home, stay safe (on the interwebs) and most importantly: stay healthy (applies to you and your\r\ndevices).\r\nIOCs\r\nCoronaSafetyMask\r\nCoronaSafetyMask.apk --\u003e SHA256: 8a87cfe676d177061c0b3cbb9bdde4cabee0f1af369bbf8e2d9088294ba9d3b1\r\n SSDEEP: 24576:KjQEzqDqCXaTJwv2AbxMHKR+ZCGPEmD8oJxmLaRyiLQuZgvNwN:wqDjaNcdRNw\r\nURLs\r\nhxxp://coronasafetymask[.]tk\r\nhxxp://masksbox[.]com\r\nhttps://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html\r\nPage 6 of 7\n\nSource: https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html\r\nhttps://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html"
	],
	"report_names": [
		"jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434762,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e07a478575428ee2b39da8e535c2a8fabab3430c.pdf",
		"text": "https://archive.orkl.eu/e07a478575428ee2b39da8e535c2a8fabab3430c.txt",
		"img": "https://archive.orkl.eu/e07a478575428ee2b39da8e535c2a8fabab3430c.jpg"
	}
}