ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Analysis Brief Reports
Brief Overview of Smishing Apps Targeting TMON and WEMAKEPRICE
2024.08.09

✅ Report Title:


Brief Overview of Smishing Apps Targeting TMON and WEMAKEPRICE



✅ Report Summary:


- Recently, smishing cases exploiting the delayed refund incidents of TMON and WEMAKEPRICE have been identified, with the malicious app collected and analyzed.

- This malicious app not only exfiltrates device information, contacts, message history, and images but also uniquely targets National Public Key Infrastructure (NPKI) certificate information.



📌 What are the detailed analysis findings of the malicious app?


- The malicious app was discovered leveraging recent social issues, such as delayed refunds from TMON and WEMAKEPRICE. It was collected and subjected to preliminary analysis.


- Upon accessing the app distribution source, an app impersonating the Korea Consumer Agency was found, with a downloaded app displaying a police icon.


- When installed and launched, the app requests battery optimization exclusion to maintain persistence and seeks permissions critical for its malicious actions:

    - READ_PHONE_STATE**: Check phone state

    - READ_CONTACTS, WRITE_CONTACTS**: Read and write contact information

    - READ_SMS, SEND_SMS**: Read and send messages

    - READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE**: Read and write storage


- The app then transmits device information, contacts, message history, and images to a Command and Control (C2) server. The domains used by this malicious app include:

    - hxxps://pindirect.mca[.]lol

    - hxxps://skt.mca[.]lol

    - hxxps://tplus.mca[.]lol

    - hxxps://lg.mca[.]lol

    - hxxps://kt.mca[.]lol


- If an "NPKI/yessign" path exists on the infected device, the app compresses the entire NPKI directory, saving it as /storage/emulated/0/NPKI.zip, and sends the file to the C2 server.


- Additionally, when specific values are received in the inst field via the MQTT protocol from the C2 server, the app performs designated malicious actions as follows:

    - 1: Upload contact information (name and phone number)

    - 2: Delete a contact specified in the data field

    - 3: Upload message history (recipient info and message content)

    - 5: Upload image files

    - 8: Force-send a message with the content to a specified phone number

    - 24: Upload information on all installed apps (icon, app name, version, package name, install time, update time)

    - 30: Add contact information as specified in name and phoneNum fields

    - 41: Upload current volume information

    - 42: Mute or set volume to 5 based on the data field value

    - 44: Upload account information



✅ Recommended Threat Detection and Mitigation Measures:


- For a comprehensive analysis and specific mitigation measures against smishing apps, please contact through the link below.



🧑‍💻 Report Author: S2W TALON


👉 For inquiries about the full report: https://s2w.inc/en/contact




News Highlights
DDW Weekly Highlights in August W1
2024.08.08
Previous
Threat Analysis Brief Reports
Issues related to 2024 Paris Olympics on Deep & Dark Web
2024.08.09
Next
List