Summary
Recently, we have witnessed threat actors distributing malicious APKs by impersonating the Google Play Store website. The CheckPhish detected the following URLs hosting the malicious content.
Phishing Sites
hxxp://hh7[.]in/
hxxps://h26[.]in/gold/0m7c5
hxxps://h27[.]in/c/blue/gold/smglnm?f=w&p=default&tp=gold1
hxxps://h25[.]pw/gold/alxwr
hxxp://apk[.]gamespatti[.]com/
hxxps://d3ndqryaswu4bt[.]cloudfront[.]net/cdn/site/landing_page_slots/index[.]html
This campaign impersonates betting apps to distribute malicious apps, and upon visiting the websites, it automatically downloads them to the victim’s device.
While writing this post, all the phishing sites were active, and we believe there will be more similar phishing sites distributing similar malicious apps.
Hunting Technique
Based on the site title and the screenshot similarity, it is easy to hunt such phishing sites:
site title: I earns 5.87 lakh rupees in this game even without good skills
Conclusion
This is an old campaign since 2023; most of the malicious sites are still live.
More phishing sites:
hxxp://3fs[.]pw/
hxxp://apk03[.]berich1[.]com/
hxxp://nn5[.]in/
hxxps://hh7[.]pw/aw/9n4kq
hxxp://vungopro[.]club/
hxxps://hh1[.]pw/aw/asovn
hxxp://hh3[.]pw/
hxxps://hh1[.]pw/c/red/aw/ktb6f?f=w&p=default&l=en&tp=m13
hxxp://cdn4[.]tp3win[.]com/cdn/download/sagar_new/index[.]html?i=360550&c=WinningjackpotSlotsGG01&e+pro&s=b
hxxps://nn4[.]pw/gold/rzpu
Malicious APKs
16f2c767c21e98ab16e1fe4f085de0144b82dc78 Gold_0m7c5.apk
1489ef42c3c0c9d85003245ef1d75dfb86a85e94 Gold_alxwr.apk
42c4c369082f3e477af89e6f0a53c7a8b05b2504 Gold_smglnm.apk
85df5c876ecf6f81c55c1df1bc0cecfd0a02682f Plus_.apk
175024471a22d5074429a5a3d06d4ac1577791a5 TeenPattiRush_v1.0.0.1_release_2023_11_21T12_18_52.apk