New Delhi: The Cyber Crime Unit (CyPAD), of Delhi Police, took note of various WhatsApp messages getting circulated, wherein the recipients were being induced and enticed to download an App through the link given in the WhatsApp messages.
The inducement was regarding daily commission earning of up to Rs.3000 in less than 30 minutes of time spent on the App. As per the messages being circulated, the stated task being performed through the app was of promoting internet celebrities on Facebook, YouTube and Instagram.
Since the messages were coming from ISD numbers, (which could be virtual numbers), and were inducing the recipient to download an app, NEWWORLD.APK, through a short (encrypted) URL, hence the activity was identified as suspicious and the Malware Forensic Lab of CyPAD-NCFL was asked to examine the URL, the App as well as other linked aspects.
The app’s functioning showed that it claims to add Rs. 6 in the User’s account if the task given to the app user on Facebook, YouTube, etc., is completed. To earn more money, the App provided for VIP accounts. But to use these VIP accounts, the user had to add money in his app account. Analysis of money trail revealed that the amount was being routed to various Indian bank accounts.
Malware analysis of the Mobile App NEWWORLD.APK reported that several dangerous permissions were being obtained by this App, such as permission to download and install new software packages (Apps), take pictures and videos, read/modify/delete SD card contents, etc.
The App was flagged as a Malwareby a reputed Anti-Virus. The malware App was accessing Users’ contact book and sending messages to their contacts.
It was found that the malicious App was able to discreetly download QQ Browser App, which is an App of the QQ family of Apps which have been banned by Ministry of Electronics and IT in June, 2020. Further, the website and the App were hosted and connecting to IPs that were found assigned to Chinese companies.
Meanwhile, a complaint was received from a victim of this fraud, wherein it was alleged that she was cheated of an amount of Rs.50,000/- by using an app which she got in the form of a link through her colleague. The complaint was enquired and it was found that the defrauded money was being routed to the same bank accounts.
Accordingly, based on the above facts and circumstances, a Case FIR was registered under various sections of IT Act and IPC and investigation taken up by Cyber Crime Unit (CyPAD), Special Cell.
Investigation
Live TV
Considering the seriousness of the matter, a special team constituting of Insp. Parveen, Insp. Hansraj, Insp. Brahm Prakash, SI Sunil, SI Ajit and others were formed under the supervision of ACP Aditya Gautam to take prompt action.
During the investigation, it was found that the defrauded money was being routed to multiple bank accounts registered in the name of various Pvt. Ltd companies. The addresses of these companies and the profile of their Indian Directors raised suspicion. In some of the companies, Chinese nationals were found to be the main Directors at various points of time. The Indian Directors were the ones who were working as accountants, office boys, drivers, etc., for these foreign nationals.
The money trail analysis revealed that the defrauded money was being laundered through multiple shell companies and through Crypto-wallets. The key operatives behind these shell companies were identified through the field and technical surveillance and they were arrested on 13/01/2021 in simultaneous multiple raids conducted at several locations across Delhi-NCR. In the raids, a total of 12 persons have been arrested, including two Chinese nationals:
1. Ms Chaohong Deng Daoyong r/o Sichuan, China Aged 27 Years
2. Ms Wu Jiazhi r/o Sichuan, China Aged 54 Years
A cash amount of Rs.25.42 Lakh of the defrauded money has been recovered from the possession of the Chinese nationals. 12 Bank Accounts, Crypto-Wallets and Payment Gateway IDs have been blocked and a total of Rs. 4 Crore 75 lakh of the defrauded money has been frozen.
The accused have also used the cheated money to purchase Crypto-currency (Tether) and over the last two weeks, crypto-transactions worth over Rs. 4.5 Crores have been made to siphon out the funds. The connected wallet currently has Tethers worth over Rs. 8 lakhs which has been frozen.
The Payment Gateway used by the accused has confirmed a total of 39,781 victims who have been defrauded by this App till now.
Modus Operandi:
The arrested Indian accused have disclosed that two Chinese nationals, Yangqing Zhang @ Jonathan and Bao Peng @ Eric, are the main kingpins of this huge criminal conspiracy to cheat and defraud Indian citizens and hack into their devices through malicious mobile Apps. These two are likely to be operating from a foreign location outside India. They launched this ‘online scheme’ to induce and cheat a maximum number of people by promising lucrative returns based on a multi-level marketing model.
In the garb of this scheme, they designed and circulated malware to illegally capture personal data of unsuspecting people for illegitimate purposes. They also created mega social media influencers in a clandestine manner, by promising cash incentive for ‘Follows’ and ‘Likes’, on Facebook, Instagram, YouTube, etc.
The origin and ownership of the majority of these Facebook, YouTube and Instagram accounts are unknown. These profiles can be used in future by external elements to manipulate and influence Indian users who follow these accounts.
The arrested Indian Directors and employees also revealed that after circulating the defrauded money in these shell companies, a significant portion was being withdrawn in cash and handed over to local money mules. Two such operatives have been arrested.
The entire criminal activity and the underlying criminal conspiracy could be categorized into four segments:
1. Exponential circulation of website registration and App download links through WhatsApp using MLM-based referral method.
2. Inducing the link recipient to download their malicious mobile App which, once downloaded, gains almost complete control over the device/phone of the user.
3. Inducing user to like and follow Facebook, Instagram and YouTube profiles and posts suggested by the App. It is common knowledge that once a user follows a particular profile from his account, the content posted by that profile will regularly come on the user’s timeline. Further, the mere liking of a post on a social media App by a user will make it visible to other users who are friends/followers of that user, who may also follow that profile, which is being pushed by the malicious app. By doing such concerted actions with millions of Indian users, this malicious App ends up creating thousands of social media profiles of unknown origin and ownership that are being followed by crores of Indians. Such a massive control over what Indian social media users can see and listen could have serious future national security implications, especially in view of the fact that the origin and ownership of most of these accounts are not known.
4. Inducing users of the App to pay for VIP accounts and siphoning out the money thus accumulated, through multiple shell companies and crypto-wallets. A significant portion of the defrauded money is ending up in the hands of local money mules.
The case is under investigation and help is being obtained from the labs of CyPAD to retrieve crucial digital evidence. Efforts are being made to identify the involvement of others.
Citizens are advised to:
1. Never download and install any App through links sent over WhatsApp with promises of quick money. These Apps are not verified and listed by genuine App Store/Play Store and may undertake malicious activities. If any such App has been downloaded, the same may be got uninstalled at the earliest.
2. Never mechanically like or follow the social media accounts being pushed through such fraudulent applications. These social media accounts of unknown origin and ownership may infest your social media timeline with content that is detrimental to you as well as the society at large.
3. Never pay any money to such malicious, fraudulent Apps after getting swayed by their inducements and false claims and promises.