Rapid Investigation: Android APK (Instant Loan App)

(Article is written keeping in mind limited resources available with Law Enforcement Agencies)

Cybercriminals rely on malicious mobile apps for conducting cyber crimes. Some of prevalent methods are: Instant Loan Apps, Dating Apps, Spoof Apps etc.

Step 1: Getting the APK (Android Package)

Android APK can be extracted from Mobile Phone using this software

APK Extractor: Apk Extractor — Apps on Google Play

This will give you access to APK used for fraud

Step 2: Upload on Virus Total (VirusTotal — Home)

Virus total is a ‘Brahmastra’ to scan all types of malware files including APK. Upload the extracted file on Virus Total and go through the results.

Step 3: Interesting Investigation Evidences

Sample Analysis : Moneed Instant Loan app (Banned by RBI)

Virus Total Link: VirusTotal — File — db3e29124a9b868ad67727e3542309e53da793d317a786640ee3053c110db962

1. Payment Gateway:

Loan Apps use Payment Aggregator and Payment Gateway for collecting the recovery money. Details are found in the Android Code.

RazorPay

Cashfree

CCAvenues

Razorrpay, Cashfree

CC Avenues

Information from Payment Gateway will be critical in carrying out Financial Investigation and Fund Trail analysis.

2. Instant KYC Providing Company: (Details → Interesting Strings)

Loan Apps use companies that verify KYC with PAN and other details. Three such companies were found:

Hyperverge

Digitap

Karza Technology

KYC providing companies will provide the actual user of the Loan Application, IP Address, PAN-Aadhaar request response etc.

3. Chinese Linkages from domains

Baidu

UmengCloud

4. IP Address, Domains

5. Additional IP Information from Behavior Tab

6. App Permissions that get misused (Phone, Call, Gallary)

Investigation does not require hi-tech tools, support and knowledge. Intention is enough !