As always, hackers utilize all possible roads to get to their destination. Latest news in this Covid-19 pandemic being, oxygen supply scarcity and staying safe, hackers have taken this route now to spread their fake oximeter apps and lure the victims into installing an Android Banking Trojan.

These fake oximeter apps target Indian users, let us see how one such app works.

Analysing one of the fake oximeter apps, “Oximeter O2” revealed that, this app

  • Masquerades as blood oxygen saturation level checker app
  • Spreads via SMS and WhatsApp spamming out malicious links to the members in the contact list,  hxxps[://mega[.nz/file/Zhh0RSJQ#81GUF7ruoEv9itdyh_kswLlBYWoAe0TwMLt4MTM9V4g
  • Specifically targets Indian users, as it prepends “+91” with the numbers in the contact list to verify if the contact has WhatsApp installed
  • Downloads the sample “Oxygen Saturation Checker.apk” from the above link which is the Anubis Banking Trojan for Android

Once installed the “Oximeter O2” app looks as shown in Figures 1 & 2.

Figure 1: Oximeter O2 app in the app drawer
Figure 2: Permissions requested by the fake app

When launched, it brings up the WhatsApp media forward screen and informs the victim that the contact (from victim’s contact list) is not on WhatsApp and to add the contact as shown in Figure 3.

Figure 3: Fake app’s request to add the contact to WhatsApp

It is to be noted from Figure 3 that it is prepending “+91” to the numbers in the contact list to confirm if the contact is on WhatsApp or not, indicating that this fake app targets the Indian users. 

However, if the contact is added to WhatsApp or already present on WhatsApp, it forwards the same download link as shown in Figure 4.

Figure 4: Malicious link sent to the WhatsApp contacts

If the contact is not on WhatsApp, it forwards an SMS with the malicious link to download the same app as shown in Figure 5.

Figure 5: Malicious link sent via SMS

Downloaded Banking Trojan

When the downloaded sample “Oxygen Saturation Checker.apk” is executed, it installs as “COVID-19 DESTEK” as shown in Figure 6

Figure 6: COVID-19 DESTEK

and it asks for a set of permissions to

  • send and view SMS
  • make calls
  • fetch location information
  • read contacts
  • access external storage

and other capabilities as listed below to

  • record audio
  • full network access
  • retrieve and kill running apps
  • close other apps
  • run at startup
Figure 7: Permissions and other capabilities requested by the payload (Banking Trojan

As any other Banking Trojan, this malware steals banking credentials, OTP SMSes and forwards these to the hacker. For further reading on Banking Trojans, please refer to our previous blog post.

Recently, we are witnessing an increased number of attacks via SMS or WhatsApp messages with links targeting Indian users. We strongly recommend users not to click these links and also not download apps from any other source or URLs apart from the official Google Play Store. Also our readers are recommended to install a reputed security software like K7 Mobile Security to stay safe against such attacks.

Indicators Of Compromise (IOCs)

Downloader samples

App Name Package Name  MD5 K7 Detection Name
Oximeter O2 com.body.saturation.oximetero2 84684e063b664aa2d1b8c5441d1fb1b9 Trojan ( 0001140e1 )
Oximeter-H com.vphealthy.oximeter 408373dab2fc8d72f58a0b2aa468a1c8 Trojan ( 0053576b1 )
OXI tracker com.blt.oximeter acd1ef25823bbfee1162489c54df4c46 Adware ( 0052d5ec1 )

Downloaded file

App Name Package Name  MD5 K7 Detection Name
COVID-19 DESTEK jnised.vpudbr.ifxvyx 7f62b553f3d9a9e28d7831d83eb06663 Trojan ( 005768471 )