Aadhar malware

Overview

Today we spotted malicious app which appears to be like fake Aadhar mobile app. Aadhar is the identity card provided by Indian Government to the Indian citizen, 12 digit unique-identity number issued to all Indian residents based on their biometric and demographic data. It will be linked to bank accounts, and other basic services like telecom (sim card) services, etc. of the citizen of India. Aadhaar is the world's largest biometric ID system, with over 1.19 billion enrolled members as of 30 Nov 2017.

Data Leak

The recent reports asserted that INR 500 (roughly seven USD) via Paytm and details such as name, address, postal code, photo, phone number, and email were retrieved. But authorities denied that the breach allowed access to millions of Aadhaar cardholders' details, saying the search facility is available for the purpose of grievance redressal to designated personnel. After this news hit in the media, supporters of privacy started questioning the security concerns.

Malicious Aadhar Application

Hash (SHA-256): d1170fa637def71e9fd50fbaf1a6c180edaa07859c09d67654302587ab1e9689

File type: Android apps

File Size: 11931 KB

We started analysis of this sample in our controlled environment. After extracting the ‘classes.dex’ file from the original application, we converted the dex file to the jar file format for understanding the code.

Figure 1 Dex to jar file

When we decompiled the code we got the interesting code to view.

Figure 2 Aadhar class

This application has the code for most of the Aadhar functionalities such as Biometric related items, barcode reader (it’s part of Aadhar card), notification response, OTP response, and resident profile.

Figure 3 Aadhar functionality

Conclusion

Many people in India do not opt anti-malware solutions for their smartphones. More importantly, the user's awareness can combat these kinds of mobile malware.