Spyware VN84App is spread via fake state websites such as the site of the Ministry of Public Security. When Internet users access these sites, they are instructed to download a mobile phone app with the .apk extension. After a successful installation, VN84App will silently collect confidential data like messages, phone numbers, IMEI information to send to the hacker’s server. The spyware also owns certain modules to perform possible attacks to other users.
VN84App is able to monitor users’ SMS when it requests the right to become the default message delivery on the phone. It can duplicate the original message to hide its spying action.
The spyware also asks for the right on other features of the phone like accessing the call history and phonebook.
Bkav discovered that stolen data are sent to a Command & Control (C&C) server at the IP address of 22.214.171.124, with two service portals of 22 and 80. The latter one, at http://126.96.36.199, has a Chinese interface and mostly aims at hefty bank transactions of billions of VND.
Nguyen Van Cuong, Head of Bkav’s analysis team, shared that thanks to the close collaboration between the National Cyber Security Center (under the Ministry of Information and Communications) and the Cyber Security and High-tech Crime Prevention Force (PA05) under Hanoi Department of Public Security, VN84App was timely handled.
He delivered a warning to all mobile phone users to increase their awareness about calls from strangers with unknown origin, to not blindly follow any instruction of such people, and to properly install anti-virus apps for full protection of their devices.