The article discusses the discovery of Android malware specifically targeting Indonesian citizens by imitating government service applications. The malware is spread via phishing links leading to malicious domains that host fake applications. Analysis reveals various indicators of compromise and recommendations for preventing such attacks. Affected: Indonesian citizens, Android users, government services
Keypoints :
- Android malware designed to mimic government service applications.
- Phishing URLs are used for distributing the malware.
- Two malware samples analyzed: Digital Identity APK and M-Pajak APK.
- Malicious domains identified: hxxps://digital-idn[.]com and hxxps://djp[.]pajak-indonesia.cc.
- Malware targets Android versions 7.0 to 13.0.
- Malicious behaviors include accessing sensitive device permissions and conducting HTTP requests to suspicious URLs.
- Recommendations include keeping device software updated and using security measures.
MITRE Techniques :
- TA0001: Initial Access – Phishing: The attackers used phishing links to distribute malicious APKs to potential victims.
- TA0002: Execution – Malicious Execution: The malware executes by downloading and installing disguised APKs.
- TA0031: Command and Control – Application Layer Protocol: The malware communicates with its C2 server through HTTP requests.
- TA0043: Credential Access – Input Capture: The malware requests sensitive information via webview prompting users for login credentials.
- TA0032: Data Manipulation – Data Encrypted: Various data manipulations occur during interactions with embedded URLs.
Indicator of Compromise :
- [URL] hxxps://digital-idn[.]com
- [URL] hxxps://djp[.]pajak-indonesia.cc
- [IP Address] 147.139.139[.]131
- [MD5 Hash] 39bec5cd7eaf1dd4edd36d3fb6f5938b2
- [MD5 Hash] 235d9867a0a1c24c723e996ea8d96fb5