Another Campaign Distributing Malicious APKs via Google Play Phishing Sites

Summary

Recently, we have witnessed threat actors distributing malicious APKs by impersonating the Google Play Store website. The CheckPhish detected the following URLs hosting the malicious content.

Phishing Sites

hxxp://hh7[.]in/
hxxps://h26[.]in/gold/0m7c5
hxxps://h27[.]in/c/blue/gold/smglnm?f=w&p=default&tp=gold1
hxxps://h25[.]pw/gold/alxwr
hxxp://apk[.]gamespatti[.]com/
hxxps://d3ndqryaswu4bt[.]cloudfront[.]net/cdn/site/landing_page_slots/index[.]html

This campaign impersonates betting apps to distribute malicious apps, and upon visiting the websites, it automatically downloads them to the victim’s device.

While writing this post, all the phishing sites were active, and we believe there will be more similar phishing sites distributing similar malicious apps.

Hunting Technique

Based on the site title and the screenshot similarity, it is easy to hunt such phishing sites:

site title: I earns 5.87 lakh rupees in this game even without good skills

Conclusion

This is an old campaign since 2023; most of the malicious sites are still live.

More phishing sites:

hxxp://3fs[.]pw/
hxxp://apk03[.]berich1[.]com/
hxxp://nn5[.]in/
hxxps://hh7[.]pw/aw/9n4kq
hxxp://vungopro[.]club/
hxxps://hh1[.]pw/aw/asovn
hxxp://hh3[.]pw/
hxxps://hh1[.]pw/c/red/aw/ktb6f?f=w&p=default&l=en&tp=m13
hxxp://cdn4[.]tp3win[.]com/cdn/download/sagar_new/index[.]html?i=360550&c=WinningjackpotSlotsGG01&e+pro&s=b
hxxps://nn4[.]pw/gold/rzpu

Malicious APKs

16f2c767c21e98ab16e1fe4f085de0144b82dc78  Gold_0m7c5.apk
1489ef42c3c0c9d85003245ef1d75dfb86a85e94  Gold_alxwr.apk
42c4c369082f3e477af89e6f0a53c7a8b05b2504  Gold_smglnm.apk
85df5c876ecf6f81c55c1df1bc0cecfd0a02682f  Plus_.apk
175024471a22d5074429a5a3d06d4ac1577791a5  TeenPattiRush_v1.0.0.1_release_2023_11_21T12_18_52.apk
1 Like