Update

The real company itsme contacted me on twitter and they verified that they didn’t create an android app for their product. So they reported the misleading application to the google play store and got it removed successfully.

Summary

People were receiving text messages saying that their friends invited them to chat. The messages makes them install an application. Opening the app, it shows a quick walkthrough of the app and asks for a verification code. With the right code, you are instructed to install another application which constantly spams the user with ads.

Quick Vocabulary

• APK: Android Package is the package file format used by the Android Operating System for distribution and installation of mobile applications.
• Activities: An activity is a single, focused thing that the user can do.
• Emulator: Simulates android devices on your computer.
• jadx-gui: Dex to Java decompiler
• Android manifest: The manifest file describes the essential information about one’s application.

I got a text message from a random number saying that my friends wanted to chat on another app (itsme). I initially thought it was weird since my friends would tell me personally that they wanted to switch applications. Also the link was pointing to the Apple store (I didn’t have an iPhone at the time), so I ignored it.

[image lost]

Waking up the next day, some of my friends got the same messages. Now, I had to pay attention to this interesting application. Switching to my virtual machine (VM), I downloaded the app and opened it with my decompiler of choice, jadx-gui.

First thing I do is look at the Manifest.xml to find the entry point. This file shows us that there are 7 activities, 6 of them are for onboarding information and one activity meant to receive a verification code.

[image lost]

This is what the main screen of the app looks like.

[image lost]

Right away, we see the developer can’t spell install correctly. Bad start.

Getting The Verification Code

I found two ways to get the verification code. First, if you clicked on the left button, you get redirect to a website, movsup.org. The site asks for a username and your phone platform. Then it tells you to rate the app on the play store to get the code. I couldn’t get it that way because I was in an emulator and I was not logged in to the play store.

The other solution was to get the code with jadx-gui. Entering the main activity, there’s a validate function.

We can see the the access code (SJHA2SVAGY) and two urls.

• hxxp://bit.ly/APKdownd
• hxxps://t.co/PXu5l8lpzv?amp=1

The t.co link is a redirect to movsup.org. The bit.ly is shorten link for a public google drive with a download button for another apk.

Installing the new apk on my emulator, I didn’t see any indication of it being installed. There was no app icon or anything else to prove to me it was there. Looking back to jadx-gui, I looked at the manifest again and the package name made everything clear.

The whole application might have just been a joke.

[image lost]

There are more activities in this application. In the main activity, nothing much is going on except that it is loading an ad.

The rest of the app are doing the same.

[image lost] [image lost]

To support my hypothesis, people who downloaded the app from the play store noticed the constant ad being presented.

[image lost]

How Did It Spread?

Well, I am not sure how the app was able to send the invite message. People on twitter were saying that it read your contacts and send the message. I believe they are just dramatic. ¯_(ツ)_/¯

[image lost]

Looking bucket the manifest file, I didn’t see any indication of such technique. The permission declared in both apps had nothing to do with contacts. The first app (itsme) had just needed internet connection and wake lock.

[image lost]

The second app (tapeviral) had more and those permissions were custom and meant to read the application’s badges.

The whole application is just a troll from what I could find. Nothing but trying to make money by spamming users with useless ads. Best thing to do is just delete the app and not click links from phone numbers you don’t know.

File Hash