#FactCheck - Uncovered: Viral LA Wildfire Video is a Shocking AI-Generated Fake!

Executive Summary:

A number of false information is spreading across social media networks after the users are sharing the mistranslated video with Indian Hindus being congratulated by Italian Prime Minister Giorgia Meloni on the inauguration of Ram Temple in Ayodhya under Uttar Pradesh state. Our CyberPeace Research Team’s investigation clearly reveals that those allegations are based on false grounds. The true interpretation of the video that actually is revealed as Meloni saying thank you to those who wished her a happy birthday.

Claims:

A X (Formerly known as Twitter) user’ shared a 13 sec video where Italy Prime Minister Giorgia Meloni speaking in Italian and user claiming to be congratulating India for Ram Mandir Construction, the caption reads, 

“Italian PM Giorgia Meloni Message to Hindus for Ram Mandir #RamMandirPranPratishta. #Translation : Best wishes to the Hindus in India and around the world on the Pran Pratistha ceremony. By restoring your prestige after hundreds of years of struggle, you have set an example for the world. Lots of love.”

‍

Fact Check:

The CyberPeace Research team tried to translate the Video in Google Translate. First, we took out the transcript of the Video using an AI transcription tool and put it on Google Translate; the result was something else.

‍

The Translation reads, “Thank you all for the birthday wishes you sent me privately with posts on social media, a lot of encouragement which I will treasure, you are my strength, I love you.”

With this we are sure that it was not any Congratulations message but a thank you message for all those who sent birthday wishes to the Prime Minister. 

We then did a reverse Image Search of frames of the Video and found the original Video on the Prime Minister official X Handle uploaded on 15 Jan, 2024 with caption as, “Grazie. Siete la mia” Translation reads, “Thank you. You are my strength!”

‍

Conclusion:

The 13 Sec video shared by a user had a great reach at X as a result many users shared the Video with Similar Caption. A Misunderstanding starts from one Post and it spreads all. The Claims made by the X User in Caption of the Post is totally misleading and has no connection with the actual post of Italy Prime Minister Giorgia Meloni speaking in Italian. Hence, the Post is fake and Misleading.

• Claim:  Italian Prime Minister Giorgia Meloni congratulated Hindus in the context of Ram Mandir
• Claimed on: X
• Fact Check: Fake

‍

Overview:

‘Kia Connect’ is the application that is used to connect ‘Kia’ cars which allows the user control various parameters of the vehicle through the application on his/her smartphone. The vulnerabilities found in most Kias built after 2013 with but little exception. Most of the risks are derived from a flawed API that deals with dealer relations and vehicle coordination. 

Technical Breakdown of Exploitation:

1. API Exploitation: The attack uses the vulnerabilities in Kia’s dealership network. The researchers also noticed that, for example, the logs generated while impersonating a dealer and registering on the Kia dealer portal would be sufficient for deriving access tokens needed for next steps.

2. Accessing Vehicle Information: The license plate number allowed the attackers to get the Vehicle Identification Number (VIN) number of their preferred car. This VIN can then be used to look up more information about the car and is an essential number to determine for the shared car.

3. Information Retrieval: Having the VIN number in hand, attackers can launch a number of requests to backends to pull more sensitive information about the car owner, including:

• Name
• Email address
• Phone number
• Geographical address

4. Modifying Account Access: With this information, attackers could change the accounts settings to make them a second user on the car, thus being hidden from the actual owner of the account.

5. Executing Remote Commands: Once again, it was discovered that attackers could remotely execute different commands on the vehicle, which includes:some text
   • Unlocking doors
   • Starting the engine
   • Monitoring the location of the vehicle in terms of position.
   • Honking the horn 

Technical Execution:

The researchers demonstrated that an attacker could execute a series of four requests to gain control over a Kia vehicle:

1. Generate Dealer Token: The attacker sends an HTTP request in order to create a dealer token.

2. Retrieve Owner Information: As indicated using the generated token, they make another request to another endpoint that returns the owner’s email address and phone number.

3. Modify Access Permissions: The attacker takes advantage of the leaked information (email address and VIN) of the owner to change between users accounts and make himself the second user.

4. Execute Commands: As the last one, they can send commands to perform actions on the operated vehicle.

Security Response and Precautionary Measures for Vehicle Owners

1. Regular Software Updates: Car owners must make sure their cars receive updates on the recent software updates provided by auto producers. 
2. Use Strong Passwords: The owners of Kia Connect accounts should develop specific and complex passwords for their accounts and then update them periodically. They should avoid using numbers like the birth dates, vehicle numbers and simple passwords.
3. Enable Multi-Factor Authentication: For security, vehicle owners should turn on the use of the secondary authentication when it is available to protect against unauthorized access to an account. 
4. Limit Personal Information Sharing: Owners of vehicles should be careful with the details that are connected with the account on their car, like the e-mail or telephone number, sharing them on social networks, for example.
5. Monitor Account Activity: It is also important to monitor the account activity because of change or access attempts that are unauthorized. In case of any abnormality or anything suspicious felt while using the car, report it to Kia customer support.
6. Educate Yourself on Vehicle Security: Being aware of cyber threats that are connected to vehicles and learning about how to safeguard a vehicle from such threats.
7. Consider Disabling Remote Features When Not Needed: If remote features are not needed,  then it is better to turn them off, and then turn them on again when needed. This can prove to help diminish the attack vector for would-be hackers.

Industry Implications:

The findings from this research underscore broader issues within automotive cybersecurity:

• Web Security Gaps: Most car manufacturers pay more attention to equipment running in automobiles instead of the safety of the websites that the car uses to operate thereby exposing automobiles that are connected very much to risks.

• Continued Risks: Vehicles become increasingly connected to internet technologies. Auto makers will have to carry cyber security measures in their cars in the future.

Conclusion:

The weaknesses found in Kia’s connected car system are a key concern for Automotive security. Since cars need web connections for core services, suppliers also face the problem of risks and need to create effective safeguards. Kia took immediate actions to tighten the safety after disclosure; however, new threats will emerge as this is a dynamic domain involving connected technology. With growing awareness of these risks, it is now important for car makers not only to put in proper security measures but also to maintain customer communication on how it safeguards their information and cars against cyber dangers. That being an incredibly rapid approach to advancements in automotive technology, the key to its safety is in our capacity to shield it from ever-present cyber threats.

Reference:

• https://timesofindia.indiatimes.com/auto/cars/hackers-could-unlock-your-kia-car-with-just-a-license-plate-is-yours-safe/articleshow/113837543.cms
• https://www.thedrive.com/news/hackers-found-millions-of-kias-could-be-tracked-controlled-with-just-a-plate-number
• https://www.securityweek.com/millions-of-kia-cars-were-vulnerable-to-remote-hacking-researchers/
• https://news24online.com/auto/kia-vehicles-hack-connected-car-cybersecurity-threat/346248/
• https://www.malwarebytes.com/blog/news/2024/09/millions-of-kia-vehicles-were-vulnerable-to-remote-attacks-with-just-a-license-plate-number
• https://informationsecuritybuzz.com/kia-vulnerability-enables-remote-acces/
• https://samcurry.net/hacking-kia

‍

‍

Introduction:

This report examines ongoing phishing scams targeting "State Bank of India (SBI)" customers, India's biggest public bank using fake SelfKYC APKs to trick people. The image plays a part in a phishing plan to get users to download bogus APK files by claiming they need to update or confirm their "Know Your Customer (KYC)" info.

Fake Claim:

A picture making the rounds on social media comes with an APK file. It shows a phishing message that says the user's SBI YONO account will stop working because of their "Old PAN card." It then tells the user to install the "WBI APK" APK (Android Application Package) to check documents and keep their account open. This message is fake and aims to get people to download a harmful app.

Key Characteristics of the Scam:

• The messages "URGENTLY REQUIRED" and "Your account will be blocked today" show how scammers try to scare people into acting fast without thinking.
• PAN Card Reference: Crooks often use PAN card verification and KYC updates as a trick because these are normal for Indian bank customers.
• Risky APK Downloads: The message pushes people to get APK files, which can be dangerous. APKs from places other than the Google Play Store often have harmful software.
• Copying the Brand: The message looks a lot like SBI's real words and logos to seem legit.
• Shady Source: You can't find the APK they mention on Google Play or SBI's website, which means you should ignore the app right away.

Modus Operandi:

• Delivery Mechanism: Typically, users of messaging services like "WhatsApp," "SMS," or "email" receive identical messages with an APK link, which is how the scam is distributed.
• APK Installation: The phony APK frequently asks for a lot of rights once it is  installed, including access to "SMS," "contacts," "calls," and "banking apps."
• Data Theft: Once installed, the program may have the ability to steal card numbers, personal information, OTPs, and banking credentials.
• Remote Access: These APKs may occasionally allow cybercriminals to remotely take control of the victim's device in order to carry out fraudulent financial activities.

While the user installs the application on their device the following interface opens: 

‍

‍

It asks the user to allow the following:

• SMS is used to send and receive info from the bank.
• User details such as Username, Password, Mobile Number, and Captcha. 

Technical Findings of the Application:

Static Analysis:

• File Name: SBI SELF KYC_015850.apk
• Package Name: com.mark.dot.comsbione.krishn
• Scan Date: Sept. 25, 2024, 6:45 a.m.
• App Security Score: 52/100 (MEDIUM RISK)
• Grade: B

File Information:

• File Name: SBI SELF KYC_015850.apk
• Size: 2.88MB
• MD5: 55fdb5ff999656ddbfa0284d0707d9ef
• SHA1: 8821ee6475576beb86d271bc15882247f1e83630
• SHA256: 54bab6a7a0b111763c726e161aa8a6eb43d10b76bb1c19728ace50e5afa40448

App Information:

• App Name: SBl Bank
• Package Name:: com.mark.dot.comsbione.krishn
• Main Activity: com.mark.dot.comsbione.krishn.MainActivity
• Target SDK: 34
• Min SDK: 24
• Max SDK:
• Android Version Name:: 1.0
• Android Version Code:: 1

App Components:

• Activities: 8
• Services: 2
• Receivers: 2
• Providers: 1
• Exported Activities: 0
• Exported Services: 1
• Exported Receivers: 2
• Exported Providers:: 0

Certificate Information:

• Binary is signed
• v1 signature: False
• v2 signature: True
• v3 signature: False
• v4 signature: False
• X.509 Subject: CN=PANDEY, OU=PANDEY, O=PANDEY, L=NK, ST=NK, C=91
• Signature Algorithm: rsassa_pkcs1v15
• Valid From: 20240904 07:38:35+00:00
• Valid To: 20490829 07:38:35+00:00
• Issuer: CN=PANDEY, OU=PANDEY, O=PANDEY, L=NK, ST=NK, C=91
• Serial Number: 0x1
• Hash Algorithm: sha256
• md5: 4536ca31b69fb68a34c6440072fca8b5
• sha1: 6f8825341186f39cfb864ba0044c034efb7cb8f4
• sha256: 6bc865a3f1371978e512fa4545850826bc29fa1d79cdedf69723b1e44bf3e23f
• sha512:05254668e1c12a2455c3224ef49a585b599d00796fab91b6f94d0b85ab48ae4b14868dabf16aa609c3b6a4b7ac14c7c8f753111b4291c4f3efa49f4edf41123d
• PublicKey Algorithm: RSA
• Bit Size: 2048
• Fingerprint: a84f890d7dfbf1514fc69313bf99aa8a826bade3927236f447af63fbb18a8ea6
• Found 1 unique certificate

‍

App Permission 

‍

‍

1. Normal Permissions

• Access_network_state: Allows the App to View the Network Status of All Networks.
• Foreground_service: Enables Regular Apps to Use Foreground Services.
• Foreground_service_data_sync: Allows Data Synchronization With Foreground Services.
• Internet: Grants Full Internet Access.

2. Signature Permission:

• Broadcast_sms: Sends Sms Received Broadcasts. It Can Be Abused by Malicious Apps to Forge Incoming Sms Messages.

3. Dangerous Permissions:

• Read_phone_numbers: Grants Access to the Device’s Phone Number(S).
• Read_phone_state: Reads the Phone’s State and Identity, Including Phone Features and Data.
• Read_sms: Allows the App to Read Sms or Mms Messages Stored on the Device or Sim Card. Malicious Apps Could Use This to Read Confidential Messages.
• Receive_sms: Enables the App to Receive and Process Sms Messages. Malicious Apps Could Monitor or Delete Messages Without Showing Them to the User.
• Send_sms: Allows the App to Send Sms Messages. Malicious Apps Could Send Messages Without the User’s Confirmation, Potentially Leading to Financial Costs.

On further analysis on virustotal platform using md5 hash file, the following results were retrieved where there are 24 security vendors out of 68, marked this apk file as malicious and the graph represents the distribution of malicious file in the environment.

‍

‍

Key Takeaways:

• Normal Permissions: Generally Safe for Accessing Basic Functionalities (Network State, Internet).
• Signature Permissions: May Pose Risks When Misused, Especially Related to Sms Broadcasts.
• Dangerous Permissions: Provide Sensitive Data Access, Such as Phone Numbers and Device Identity, Which Can Be Exploited by Malicious Apps.
• The Dangerous Permissions Pose Risks Regarding the Reading, Receiving, and Sending of Sms, Which Can Lead to Privacy Breaches or Financial Consequences.

How to Identify the Scam:

• Official Statement: SBI never asks clients to download unauthorized APKs for upgrades related to KYC or other services. All formal correspondence takes place via the SBI YONO app, which may be found in reputable app shops.
• No Immediate Threats: Bank correspondence never employs menacing language or issues harsh deadlines, such as "your account will be blocked today."
• Email Domain and SMS Number: Verified email addresses or phone numbers are used for official SBI correspondence. Generic, unauthorized numbers or addresses are frequently used in scams.
• Links and APK Files: Steer clear of downloading APK files from unreliable sources at all times. For app downloads, visit the Apple App Store or Google Play Store instead.

CyberPeace Advisory:

• The Research team recommends that people should avoid opening such messages sent via social platforms. One must always think before clicking on such links, or downloading any attachments from unauthorised sources.
• Downloading any application from any third party sources instead of the official app store should be avoided. This will greatly reduce the risk of downloading a malicious app, as official app stores have strict guidelines for app developers and review each app before it gets published on the store.
• Even if you download the application from an authorised source, check the app's permissions before you install it. Some malicious apps may request access to sensitive information or resources on your device. If an app is asking for too many permissions, it's best to avoid it.
• Keep your device and the app-store app up to date. This will ensure that you have the latest security updates and bug fixes.
• Falling into such a trap could result in a complete compromise of the system, including access to sensitive information such as microphone recordings, camera footage, text messages, contacts, pictures, videos, and even banking applications and could lead users to financial loss.
• Do not share confidential details like credentials, banking information with such types of Phishing scams.
• Never share or forward fake messages containing links on any social platform without proper verification.

Conclusion:

Fake APK phishing scams target financial institutions more often. This report outlines safety steps for SBI customers and ways to spot and steer clear of these cons. Keep in mind that legitimate banks never ask you to get an APK from shady websites or threaten to close your account right away. To stay safe, use SBI's official YONO app on both systems and get apps from trusted places like Google Play or the Apple App Store. Check if the info is true before you do anything turn on 2FA for all your bank and money accounts, and tell SBI or your local cyber police about any scams you see.

‍