Image of a man holding three cards

Having Teen Patti fun? Beware of malware apps!

by

Swapneel Patnekar

Having Teen Patti fun? Beware of malware apps! Shreshta Threat Intelligence team have detected many websites providing Teen Patti game downloads infected with malware.

About Teen Patti

Teen Patti is a gambling card game. Teen Patti originated in India and is popular throughout South Asia. It evolved from the English game of three-card brag, with influences from poker and the American card game. It is also called flush or flash in some areas.

Executive Summary

Recent intelligence gathered by Shreshta reveals an increase in malicious APKs (Android application packages) disguised as the popular gambling app, Teen Patti. These fraudulent APKs are distributed through various social media channels and messaging platforms to lure unsuspecting users. By clicking on these links, users unknowingly download and install potentially harmful software onto their Android devices.

Our analysis of these websites indicates that they primarily target the Teen Patti user base. With most users downloading the Teen Patti app for fun, users not following cyber hygiene, become an easy target.

Motive

The motive of the threat actors is to propagate malicious APKs to harvest Personally Identifiable Information (PII) of the user.

Teen Patti Malicious APKs circulated on social media targeting Android users

We will explore the websites that are propagating the malicious Android APKs under the disguise of Teen Patti game.

Dangerous Teen Patti Fun

Teen Patti website #1 propagating malware

Figure 1 – Homepage of the website

Figure 2 – APK detected as malicious on VirusTotal

Hash of the APK is detected as Txt.Malware.Agent-9913425-0 and PUA.AndroidOS.ScamApp

Teen Patti website #2 propagating malware

Figure 3 – Home page of the website prompting the user to download the APK

Figure 4 – Hash of the APK is detected as malicious on VirusTotal

Hash of the APK is detected as TPUA.AndroidOS.Spyloan and TROJ_GEN.R002V01KG23

Teen Patti website #3 propagating malware

Figure 5 – Home page of the website prompting the user to download the APK

Figure 6 – Hash of the APK is detected as malicious on VirusTotal

VirusTotal is detecting the hash of the APK as TROJ_GEN.R002V01KH23

Teen Patti website #4 propagating malware

Figure 7 – Home page of the website prompting the user to download the APK

Figure 8 – Hash of the APK is detected as malicious on VirusTotal

Hash of the APK is detected by VirusTotal as A Variant Of Android/Packed.Jiagu.D Pote, PUA.AndroidOS.Jiagu, Riskware/PackagingUntrustworthyJiagu!, Trojan ( 0052d2661 ) and TROJ_GEN.R002V01KG23.

Teen Patti website #5 propagating malware

Figure 9 – Home page of the website prompting the user to download the APK

Figure 10 – Hash of the APK is detected as malicious on VirusTotal

Virus Total has detected it as A Variant Of Android/Packed.Jiagu.D Pote, Riskware/PackagingUntrustworthyJiagu!Android, Trojan ( 0052d2661 ) and Android.WIN32.Robtes.dc

Teen Patti website #6 propagating malware

Figure 11 – Home page of the website impersonating the Google Play store and prompting the user to download the APK

Figure 12 – Hash of the APK is detected as malicious on VirusTotal

Hash of the APK is detected by Virus Total as PUP/Android.Malct.1196223, Android.Riskware.Agent.KKZ and Android Packed App (PUA)

Teen Patti website #7 propagating malware

Figure 12 – Home page of the website impersonating the Google Play store and prompting the user to download the APK

Figure 13 – Hash of the APK is detected as malicious on VirusTotal

VirusTotal is detecting the hash of the APK as TROJ_GEN.R002V01KG23.

Safety Recommendations

  1. Configure Browse Safe DNS Servers on your devices to block phishing, malware, cryptojacking and other cyber threats.
  2. Download apps only from the official Google Play Store
  3. Any website which prompts downloading of an APK file should be treated as malicious
  4. If you become a victim of cybercrime, call the national (India) cybercrime helpline 1930 or file a complaint at https://cybercrime.gov.in/ 
  5. If you are an enterprise, protect your organisation in real-time from cyber threats such as phishing, malware, newly registered domain names and other malicious communication using Shreshta Protective DNS. Please email info@shreshtait.com for a free 30-day trial.

Conclusion

The distribution of websites offering malicious Teen Patti APKs is an alarming trend, posing substantial risks for users. These websites encourage users looking for the Teen Patti game and wanting to have fun, prompting them to download and install the APKs via sideloading and instructing them to enable installation from external sources on their Android devices.

This practice not only jeopardizes user security and privacy but also facilitates the propagation of malware and potential financial exploitation. To mitigate these risks, it’s crucial for users to be cautious when downloading apps and ensure they obtain them only from trusted sources like Google Play Store.

Get free access to Newly registered domain names (NRD) community feeds

Newly registered domain names or recently registered domains can be a potential security risk for organisations. They are often used to host phishing, malware, and other malicious content.

By monitoring or blocking NRDs, enterprises can eliminate the risk of cyber threats posed by NRDs.

Get no-cost access to our newly registered domain names(NRD) community feeds.

Download the free NRD community feeds

Indicators of Compromise

  • https[:]//th7.pw/ta/hf59i2?p=wa
  • https[:]//share.getfun.in/

SHA-256 hash

  • 4dee7b2cf8bc480be8da77569afa7f461ac818786df5739979443c30d2ca3a3f
  • 37e1c8e60e57f5ba22721e7b1afe44c68bd7a1a1a9ba5ce88fb4d8b52097d678
  • e6cb80b4e5c3b161d68339594ba3391ff81b8a0816839eeb2ee9ee08f2a7b511
  • 9b4951f345413cb3c955370c99183cdf91410385a61477fd5eaf60fe117f72e0
  • 779b882f61435bf3b7b4d5c04fd2f2891ad97afa492a58ffaf513a27bc7350fa

Suspicious URLs 

  • https[:]//h25.pw/gold/alxwr
  • https[:]//google.teenpattigoo.com/
  • https[:]//teenpattiepic.info/
  • https[:]//teenpattimaster.biz/
  • https[.]//happyteenpatti.in/
  • https[.]//dev.playteenpattiearnmoney.com/blogs/teenpatti/teen-patti-master-apk-pndg5mnrtf
  • https[.]//share.bigswinner.online/?appKey=nzwvop&af_status=share-link&clickLabel=MA==&agent=levana5
  • http[.]//ekteenpatti.com/
  • https[.]//google.teenpattigoo.com/
  • https[.]//happyteenpattis.com/
  • https[:]//ekteenpatti.com/
  • https[.]//share.bigswinner.online/?appKey=nzwvop&af_status=share-link&clickLabel=MA==&agent=levana7
  • https[.]//h27.in/c/red/m/hj60an?f=w&p=wa&tp=aw1
  • https[.]//h27.in/c/red/m/hj60an?f=w&p=wa&tp=aw1
  • https[.]//h27.in/aw/2kieo
  • https[.]//teenpattivegas.com/?from_gameid=4180310&channelCode=4180305
  • https[.]//h27.in/c/red/m/hj60an?f=w&p=wa&tp=aw1
  • https[.]//h29.in/gold/twh1a
  • https[.]//h29.in/m/twh1a
  • https[.]//th7.pw/ta/qpqgd?p=wa
  • https[.]//h25.in/m/qpqgd
  • https[.]//h25.in/gold/qpqgd
  • https[.]//h25.in/sm/qpqgd
  • https[.]//share.bigswinner.online/?appKey=nzwvop&af_status=share-link&clickLabel=MA==&agent=levana4
  • https[.]//h26.in/c/red/m/6jv1di?f=w&p=default&l=en&tp=m31
  • https[.]//nn5.pw/aw/ddvpb
  • https[.]//h25.pw/gold/alxwr
  • https[.]//teenpatti-3m.com/
  • https[.]//teenpatti.cc/download.htm
  • http[.]//teenpatticlan.in/
  • https[.]//teenpattidownloader.com/
  • https[.]//teenpattiepic.info/
  • https[.]//teenpattiflush.in/
  • https[.]//nn5.pw/aw/4r47j
  • http[.]//teenpattigold.xyz/
  • https[.]//3pattiroyal.com/?from_gameid=5513258&channelCode=4070402
  • https[.]//h27.in/m/sjcg
  • https[.]//h27.in/gold/s03q
  • https[.]//share.getfun.in/?2jrliqec_2d833h
  • https[.]//th7.pw/ta/s03q
  • http[.]//teenpattijoy.in/
  • https[.]//h29.in/gold/kakx9
  • https[.]//h29.in/m/kakx9
  • https[.]//h29.in/epic/kakx9
  • https[.]//share.getfun.in/?2jrm3qq2_2d833h
  • https[.]//h29.in/bws/kakx9
  • https[.]//h29.in/sm/kakx9
  • https[.]//h29.in/ysl/kakx9
  • https[.]//h27.in/sm/hf59i2
  • https[.]//th7.pw/ta/hf59i2?p=wa
  • https[.]//h27.in/m/ywrh8
  • https[.]//h26.in/c/blue/gold/ywrh8?f=w&p=wa&tp=gold1
  • https[.]//teenpattimaster.biz/
  • https[.]//hh7.pw/aw/mrj2y
  • https[.]//h25.in/m/13ksl
  • https[.]//h25.in/gold/13ksl
  • https[.]//h27.in/gold/13ksl
  • https[.]//h26.in/gold/mgmrq
  • https[.]//h26.in/m/mgmrq
  • https[.]//h25.in/m/tutoa
  • https[.]//h27.in/m/teuo01
  • https[.]//h26.in/gold/teuo01
  • https[.]//h26.in/m/comsr
  • https[.]//h26.in/gold/comsr
  • https[.]//h27.in/m/tbqy3
  • https[.]//h27.in/gold/cvr8eh
  • https[.]//h25.pw/aw/r0efo
  • https[.]//teenpattiroyal.com/
  • https[.]//teenpattiskyapk.com/
  • https[.]//teenpatti-sky.com/
  • https[.]//teenpattisky.live/
  • http[.]//teenpattivipdl.com/
  • http[.]//teenpattiyesdl.com/
  • http[.]//teenpattiyesfx.com/
  • https[.]//share.bigswinner.online/?appKey=nzwvop&af_status=share-link&clickLabel=MA==&agent=levana3
  • https[.]//winnerteenpatti.com/
  • https[.]//share.bigswinner.online/?appKey=nzwvop&af_status=share-link&clickLabel=MA==&agent=levana2
  • https[.]//share.bigswinner.online/?appKey=nzwvop&af_status=share-link&clickLabel=MA==&agent=levana6

Suspicious SHA-256 hash

  • c969112fb49d331de57217e4e0dcee965fc385d460cc2f56ade14854d39ea7df
  • a95510438290013081b44f14e653363bdc77caedc946c4bea079d9bc989a0238
  • 60e821098bf5537e16ab43277af803897872da7186b696f19cfbd93352fd90d8
  • 95c3d4b8369dfd69072767a8730bb0cf4d7e1a872b8ea686891c8fdfc8317d1f
  • a135127114197f0535945cd7bbdd95c141e29fdcbdef7e32a6ec6d8e3f142ad7
  • 6aa506e34fb1be2b2f87bffdac3fa8f0462768a662998b6706635029c1cc0d5c
  • 865ae673b65c58edd129934e82ff4a020d9ecf60f1af232273949147297e24f4
  • 1e508e64a6027d75e670abee9dd01aea36c0cd5d67377320c0e7d4059d0bdfb8
  • 5b391c78192429716afbb1e8c6e49bd529d6068d5c6dd2e52b4ca5c2508af8c3
  • 7d701731e7969da1a6c6a048365bf36c2a54dfb69d7274f503681b36b0eaa519
  • 70130071ee70841939770a768c9c7cf7152ae7fc1e19491bcac672b1fea95c78
  • c5be2658a62b5ef72285088602d9785cd01287ae0b3f88b4c68bf25aca5ba776
  • 74f448536a3ec0e1456169fa57da136a13d7b6ffb2a3ba0a77f04cf12883bdd3
  • 66f05822a8f85b6519a262dd6645c302935928c645ec5ef738ee8c967227cbaa
  • 5b0fe3e8cb6b009bd0edd9984d57697cd2ab4bad59324c3f63978d7a308df260
  • 138e7c90080369eb545c8b3e299687a9809daaba9af3112dceef87a89d303e51
  • 0b7d891380df3812ac078f81a0a241b3d8bdf0cc99728b4adf8e2fba70434a8d
  • 0b7d891380df3812ac078f81a0a241b3d8bdf0cc99728b4adf8e2fba70434a8d
  • a2c582b5652325aa3d68237c1a3366075faa79ed0dd52a422c3891d31e495d40
  • d434497382c5da07911bbe336b02c98165cbbf62bf02f60b1cb3159ea278d2fc
  • 85fa1aeb04b3b6f4dccee8d1d48f6f5a51b06cc3cb4b3cd11b5633b3e253f885
  • 5afe74953c5a4ae921b08827a9b9cecb2c0a8917dae1c9dd93908b5b2d0ed75a
  • 5f56d6b83b79e82c8114baf65d4518832689897232c556a00203470f4d1a3620
  • 333ae58c79f95840ba4f65faf4331c6f54262536a5370affe2eea5dfbbe3d797
  • e869edc2c43d9702e01b1bc3091bb2a60e2159d2213491f9d9b1fd4c843b9e28
  • 2ad34362be8666a46d737880c22b8c91ce51562b41fa04c5991369564cbd1af4
  • ae88577c150bc124f99df7b18a623a1e3094f479e0760934d194cc0bd4fc5c3e
  • 2dd01aa0d7ed4033075105abaa6d603cdf404e69ea1b3220fbc956769fbd5db0
  • 82f65f151ebba5fbcbc79b263ec06d1031bc0081be035a91d8fc8e44c9a6869c
  • 57a363b4f0731ed0f7aebeb867e06546cc63d570878e04154ae4f58cf110b614
  • ac08725b3c60538ed4ad692c626f6240e336da5b80747d5f006d75dab40980c8
  • 43191ecffd2d8d1fff3f96b1c6d7411bf8d5c98cbb943e14f7521b88e884f521
  • 37e1c8e60e57f5ba22721e7b1afe44c68bd7a1a1a9ba5ce88fb4d8b52097d678
  • 86b4165f182d781ea47e6e8138ad88bd36b52121859ba2b926abe97e41eb8fe6
  • e7615fb9cd92494d46393af1d440f76e1621997041e1ad1e191a86564f7fae0b
  • 3df6454f384a49ff8c7ea221733fde63e27610fd34458c24a1378c9c9d2d5e34
  • d7709d9480873bd1c5e472b960833fba25d1fba9ce6aa41996908fb768a18139
  • a421ebab9abe154d4fed53b6a200cd319061f398613b15b225fdda0848283e79
  • e8222a633f81e7c49b08b090a4af71c30f267eb9c956f7c2171b659ca3a5d822
  • 59ffe36febcd5e5084bd0b8453494d5bcb09268396ecbb7b00954cd0ed6bc763
  • c8b9b4f40ff15d7fd4a513bcafa6ddbb4b5d34788b034aa017f7449afaaa49bc
  • 19962507f5b22a39c06f0ec8bdf03ac865ddad5a0e6d030d2fda4bc8d9627db9
  • 825f6f1f164e1fb5574c1a378e53598c391d4109021a3ab109eb9333a3468e9d
  • 45b43e48e07f2085d4c1380d9eb21eb3b7d12343eacd4e8c9c7f5bff4ff0063a
  • be9da138f917c69e41539dc5f12f48e45fc2750e3cead014e5028dba9579c141
  • 9cffb50814e3f4006c176b1986560a77927e3ca9180657170d99f84ca554ff67
  • ed3a0cd4a436229edf30f0939103841d8c6db4002375112b71e0e5aa685bdb16
  • a7ef50708eca2beb0a36a02c1aa912a228058d2281afa5895cc224890165d4ed
  • c3cf387b6ff5e61c6816566f71b87799cdeefd4aba4d1e8c94d3634b9a3118b4
  • c05f0abbaa9d81311c3a94abf1828538c3a629b26ce68f5877c61f1fb7d4ba8a
  • 931bed63fa181f2c5400853b3f49eaa6df67ab79c26e0f3e343cde945085bf0f
  • 0fcbe38b15810f8cc3996e07eef43ee3c11242c59fa5b5ed7dd6e51a33b9f279
  • 732da3ca2249a6791d306420b9010a0351f20970c98a3275f3c3ec083d17b24c
  • 30f9f07453f75e738da0e81caf257afcb23a374053da42496ffe0f9d3cb2225b
Fake Google Play Store
Crypto Scams in India
Swapneel Patnekar
Website | + posts