In March 2021, Zscaler identified a few download requests for malicious Android applications which were hosted on sites crafted by the threat actor to social engineer users in India. This threat actor leverages the latest events and news related to India as a social engineering theme in order to lure users to download and install these malicious Android apps.

The researchers identified several GitHub accounts which are hosting malicious Android mobile apps (APK files) and web pages that are used actively in this campaign.

One of the Android apps masquerades as a TikTok App. In 2020, the TikTok app was banned by the government of India. Attackers are leveraging that theme to lure the users by misinforming them that TikTok is available in India again.

Another instance we observed recently involved the threat actor leveraging a “Free Lenovo Laptop” scheme by the Indian government.

This blog describes the complete infection chain and the timeline of this threat actor highlighting how they have changed the theme over a period of time to distribute the malicious Android apps.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]


The graphical timeline below shows the different themes used by the threat actor over a period of time.


Attack flow

Attack infection chain begins with an SMS or a Whatsapp message where the user receives a shortened URL link which ultimately redirects to a website hosted on Weebly and controlled by the attacker. The content of this site is crafted based on current events in India and used for social engineering.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]In the original download request which the researchers observed in Zscaler cloud, the user-agent string was: WhatsApp/ which indicated that the link was clicked by the user in a WhatsApp message.

As an example, in one of the instances, the shortened URL redirected the user to the website: https://tiktokplus[.]weebly.com/ which looks like shown in Figure 3.

Shortened link: http://tiny[.]cc/Tiktok_pro
URL: https://tiktokplus[.]weebly.com/
GitHub download link: https://github.com/breakingnewsindia/t1/raw/main/Tiktik-h.apk

This webpage misinforms the user that the TikTok application is available again in India and lures them to download it. The actual APK file is hosted on an attacker-controlled GitHub account.

GitHub account name: breakingnewsIndia
GitHub download link: https://github.com/breakingnewsindia/t1/

During our research on this threat actor, they also identified several more GitHub accounts and the complete list is available in the Indicators of Compromise (IOC) section.

The following screenshots show two more such GitHub accounts.

The latest theme used by this threat actor is related to “Free Lenovo laptop scheme by Indian Government”.

Shortened URL: hxxps://tiny[.]cc/Register-Laptop
Final URL: hxxps://govlapp[.]weebly.com/

MD5 hash of APK file:  f9e5fac6a4873f0d74ae37b246692a40
Package name:  com.jijaei.pikapinjan

The next screenshot shows the website crafted by the attacker and hosted on weebly.com which misinforms the user and lures them to download the APK file.

[/vc_column_text][vc_column_text]Read the full report: https://www.zscaler.com/blogs/security-research/android-apps-targeting-jio-users-india[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]


Remember a Tiny URL may hide a virus, spyware, or otherwise offensive material. Most URL shortener websites provide a preview link option. So if you are unsure about the URL you have received even from your trusted contact, you must preview the link before clicking: Just add an equal sign to the end of any short tiny.cc URL… as in this example: http://tiny.cc/u69qrw= A preview page lets you safely see the address of that destination in its full, expanded form before actually visiting the site.


Starting from spreading malicious URLs through messages and redirecting the users to the attacker-controlled website on Weebly.com and luring them to download the malicious APK file through Github is an example of well-organized social engineering.

As noted, threat actors stay up-to-date with the latest events in India and leverage them for social engineering.

Users must exercise caution before downloading and installing Android applications from untrusted and third-party sources, even if these links are received from mutual contacts on their Android device. Also, as seen in this attack, the malicious download links are sent through the user’s existing contact list. Apps such as TikTok must only be downloaded from official sources.[/vc_column_text][/vc_column][/vc_row]

Image credit: Pixabay.com

By Bablu Kumar

Bablu Kumar is a technology writer with a focus on cybersecurity and the IT domain at large. The topics he writes about include AI & automation, malware, data breaches, exploits, and security defenses, as well as research and innovation in information security. Feel free to connect with him at https://www.linkedin.com/in/hacback17/

Leave a Reply

Your email address will not be published. Required fields are marked *