Elibomi Android Malware

Elibomi Android Malware Description

A new family of phishing Android malware has been spotted being used in live attacks by cybercriminals. The threat was discovered by the researchers who named it Elibomi. The threat relies on social engineering tactics and fake Android applications to collect information from its victims and exfiltrate it to servers under the control of the hackers. 

First Elibomi Attack

The first attack involving the Elibomi threat took place in late 2020. The threat actors delivered a fake 'IT Certificate' application to their victims' devices. The weaponized application mimicked an IT certificate management module that pretends to validate the device with a non-existent server. The application requests to receive SMS permissions, as well as administrator privileges. The latter is likely abused to make any removal attempts more difficult. While victims are presented with a fictitious 'Security Scan,' in the background, the application is harvesting sensitive information such as emails, phone numbers, stored SMS/MMS messages and more. 

Second Elibomi Attack

The more recent campaign that deployed the Elibomi threat targeted Indian taxpayers. The hackers switched the identity of their fake application and it was now presented as a tax-filing application. The attack begins with the dissemination of targeted SMS messages claiming to be from the Income Tax Department of India. To appear more legitimate, the lure messages mention the names of the targeted individuals. The goal at this stage is to get the victim to click on the provided link under the false pretense that there has been an urgent update to their Income Tax Refunds. 

The corrupted links lead to a phishing page that again claims to belong to the Indian Income Tax Department. The phishing page directs users to download the application that carries the Elibomi threat secretly. The package of the threatening application is named following the pattern - random word.random string.imobile. The infosec researchers discovered several versions of the fake application to be distributed with some showing only a fake login page while others also possessing an option for fake registration and tax refund requests. 

The Elibomi threat again captures sensitive data from the compromised device, as well as any financial information that it manages to elicit from its victims. It can obtain emails, phone numbers, SMS/MMS messages, financial data and personally identifiable information. Strangely, the harvested data was uploaded to servers that were open to the Internet exposing the victim's information to the public effectively. The hackers may have noticed that their blunder was discovered and the collected information is no longer available.