Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
History is littered with hundreds of conflicts over the future of a community, group, location or business that were "resolved" when one of the parties stepped ahead and destroyed what was there. With the original point of contention destroyed, the debates would fall to the wayside. Archive Team believes that by duplicated condemned data, the conversation and debate can continue, as well as the richness and insight gained by keeping the materials. Our projects have ranged in size from a single volunteer downloading the data to a small-but-critical site, to over 100 volunteers stepping forward to acquire terabytes of user-created data to save for future generations.
The main site for Archive Team is at archiveteam.org and contains up to the date information on various projects, manifestos, plans and walkthroughs.
This collection contains the output of many Archive Team projects, both ongoing and completed. Thanks to the generous providing of disk space by the Internet Archive, multi-terabyte datasets can be made available, as well as in use by the Wayback Machine, providing a path back to lost websites and work.
Our collection has grown to the point of having sub-collections for the type of data we acquire. If you are seeking to browse the contents of these collections, the Wayback Machine is the best first stop. Otherwise, you are free to dig into the stacks to see what you may find.
The Archive Team Panic Downloads are full pulldowns of currently extant websites, meant to serve as emergency backups for needed sites that are in danger of closing, or which will be missed dearly if suddenly lost due to hard drive crashes or server failures.
ArchiveBot is an IRC bot designed to automate the archival of smaller websites (e.g. up to a few hundred thousand URLs). You give it a URL to start at, and it grabs all content under that URL, records it in a WARC, and then uploads that WARC to ArchiveTeam servers for eventual injection into the Internet Archive (or other archive sites).
To use ArchiveBot, drop by #archivebot on EFNet. To interact with ArchiveBot, you issue commands by typing it into the channel. Note you will need channel operator permissions in order to issue archiving jobs. The dashboard shows the sites being downloaded currently.
The Wayback Machine - https://web.archive.org/web/20230629180538/https://www.microsoft.com/en-us/security/blog/2022/09/21/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices/
Our analysis of a recent version of a previously reported info-stealing Android malware, delivered through an ongoing SMS campaign, demonstrates the continuous evolution of mobile threats. Masquerading as a banking rewards app, this new version has additional remote access trojan (RAT) capabilities, is more obfuscated, and is currently being used to target customers of Indian banks. The SMS campaign sends out messages containing a link that points to the info-stealing Android malware. The malware’s RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions. The malware’s ability to steal all SMS messages is also concerning since the data stolen can be used to further steal users’ sensitive info like 2FA messages for email accounts and other personally identifiable information (PII).
Figure 1. Typical SMS campaign attack flow
Our investigation of this new Android malware version started from our receipt of an SMS message containing a malicious link that led us to the download of a fake banking rewards app. The fake app, detected as TrojanSpy:AndroidOS/Banker.O, used a different bank name and logo compared to a similar malware reported in 2021. Moreover, we found that this fake app’s command and control (C2) server is related to 75 other malicious APKs based on open-source intelligence. Some of the malicious APKs also use the same Indian bank’s logo as the fake app that we investigated, which could indicate that the actors are continuously generating new versions to keep the campaign going.
This blog details our analysis of the recent version’s capabilities. We strongly advise users never to click on unknown links received in SMS messages, emails, or messaging apps. We also recommend seeking your bank’s support or advice on digital options for your bank. Further, ensure that your banking apps are downloaded from official app stores to avoid installing malware.
Observed activity
What the user sees
We have seen other campaigns targeting Indian banks’ customers based on the following app names:
Axisbank_rewards.apk
Icici_points.apk
Icici_rewards.apk
SBI_rewards.apk
Our investigation focused on icici_rewards.apk (package name: com.example.test_app), which presents itself as ICICI Rewards. The SMS campaign sends out messages containing a malicious link that leads to installing a malicious APK on a target’s mobile device. To lure users into accessing the link, the SMS claims that the user is being notified to claim a reward from a known Indian bank.
Figure 2. The text message with a malicious link sent to users
Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.
Figures 3 and 4. App installed on the Android device. The app asks users to enable permissions on text messaging and contacts, to name a few
The fake app asks for credit card information upon being granted all permissions. This should raise users’ suspicions on the app’s motive as apps typically ask for sensitive information only through user-driven transactions like paying for purchases.
The app displays another fake screen with further instructions to add to its legitimacy once users supply the information needed.
Figures 5 and 6. A fake page where the app asks users to provide information, and the resulting message once data is added
What happens in the background
Analyzing the XML file AndroidManifest further identifies the entry points of the malware along with the permissions requested. It also defines services that can run in the background without user interaction. The app uses the following permissions:
READ_PHONE_STATE
ACCESS_NETWORK_STATE
READ_SMS
RECEIVE_SMS
READ_CALL_LOG
FOREGROUND_SERVICE
MODIFY_AUDIO_SETTINGS
READ_CONTACTS
RECEIVE_BOOT_COMPLETED
WAKE_LOCK
The malware uses MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid functions to carry out most of its routines. These three functions interact to ensure all the malware’s routines are up and running and allow the app to remain persistent on the mobile device.
MainActivity
MainActivity, also called the launcher activity, is defined under com.example.test_app.MainActivity. It is launched first after installation to display the fake app’s ICICI splash screen. This launcher activity then calls OnCreate() method to check the device’s internet connectivity and record the timestamp of the malware’s installation, and Permission_Activity to launch permission requests. Once the permissions are granted,Permission_Activity further calls AutoStartService and login_kotak.
Figure 7. Actions under MainActivity
The class login_kotak is responsible for stealing the user’s card information. It shows the fake credit card input page (Figure 5) and temporarily stores the information in the device while waiting for commands from the attacker.
Figure 8. login_kotak class steals card information and other personally identifiable information (PII)
AutoStartService
AutoStartService, themain handler of the malware, functions based on the commands it receives. The handler provides the malware with the following capabilities:
Enforcing its RAT commands
This malware’s new version adds several RAT capabilities that expands its information stealing. It enables the malware to add call log uploading, SMS message and calls interception, and card blocking checks.
Figure 9. Code comparison of 2021 (left) and 2022 (right) samples
These commands are described below.
Command Name
Description
all_sms_received
Flags to enable/disable SMS upload
all_call_received
Flags to enable/disable call log upload
silent
Put the mobile device on silent
block
Checks if the user’s card is blocked
sms_filter
Filters SMS based on strings (defaults to “ICICI”)
online
Checks if the user has an active internet connection
force_online
Uploads received SMS messages to the C2 server
is_online
Checks if the device is connected to the C2 server
force_calls
Uploads call logs to the C2 server
The silent command, which the malware uses to keep the remote attacker’s SMS sending activities undetected, stands out from the list of commands. Many banking apps require two-factor authentication (2FA), often sent through SMS messages. This malware enabling an infected device’s silent mode allows attackers to catch 2FA messages undetected, further facilitating information theft.
Figure 10. This code is responsible for turning the mobile device’s silent mode on
Encryption and decryption of SMS messages
In addition to encrypting all data it sends to the attacker, the malware also encrypts the SMS commands it receives from the attacker. The malware decrypts the commands through its decryption and decoding modules. The malware uses a combination of Base64 encoding/decoding and AES encryption/decryption methods.
Figure 11. The malware’s encoding and decoding modules, as seen in its code
Stealing SMS messages
The malware steals all SMS messages from the mobile device’s inbox. It collects all received, sent, read, and even unread messages. Collecting all SMS messages might allow attackers to use the data to expand their stealing range, especially if any messages contain other sensitive information such as SMS-based 2FA for email accounts, one’s personal identification like the Aadhar card commonly used in India, or other financial-related information.
Figure 12. Code used to steal all SMS messages
Uploading all call logs
The malware also uploads call logs stored on the mobile device. This data may be used for the attacker’s surveillance purposes.
Figure 13. The malware code for stealing call logs
Communicating with its C2
This malware uses the open-source library socket.io to communicate with its C2 server.
Figure 14. Code showing the malware’s C2 server connection
RestartBroadCastReceiver
The malware also uses the Android component RestartBroadcastReceiver, which functions based on the type of events received by the mobile device. This receiver launches a job scheduler named JobService, which eventually calls AutoStartService in the background. The receiver reacts when the device is restarted, if the device is connected to or disconnected from charging, when the device’s battery status changes, and changes in the device’s Wi-Fi state.RestartBroadcastReceiver ensures that the main command handler AutoStartService is always up and running.
Figure 15. How the Receiver starts AutoStartService
Mitigating the fake app’s unwanted extras
This malware’s continuing evolution highlights the need to protect mobile devices. Its wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user’s other banking apps. Its ability to intercept one-time passwords (OTPs) sent over SMS thwarts the protections provided by banks’ two-factor authentication mechanisms, which users and institutions rely on to keep their transactions safe. Its use of various banking and financial organizations’ logos could also attract more targets in the future.
App installation on Android is relatively easy due to the operating system’s open nature. However, this openness is often abused by attackers for their gain. Apart from exercising utmost care when clicking on links in messages and installing apps, we recommend that users follow these steps to protect their devices from fake apps and malware:
Download and install applications only from official app stores.
Android device users can keep the Unknown sources option disabled to stop app installation from unknown sources.
Microsoft discovered that the SHEIN Android application periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server.
Microsoft discovered a high-severity vulnerability in the TikTok Android application, now identified as CVE-2022-28799 and fixed by TikTok, which could have allowed attackers to compromise users' accounts with a single click.
Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware – and it continues to evolve.
Microsoft uncovered high-severity vulnerabilities in a mobile framework used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote or local attacks.