Researchers from ESET, a leading global cybersecurity solutions company, analyzed three malicious Android apps targeting the customers of 8 banks. To take advantage of customers, who are increasingly choosing to shop online due to the pandemic, cybercriminals are persuading these users to download malicious e-commerce applications.
In this ongoing campaign, starting in late 2021, attackers create fake websites.
3 Android apps analyzed by ESET contain the same malicious code
In this ongoing campaign, with a special focus on Malaysia, ESET recognizes that this could expand to other countries. Malicious agents are trying to steal banking information through fake websites that look legitimate, sometimes copied exactly from the source. These websites use domains similar to the services they are trying to replicate.
Originally reported in late 2021, the campaign persuades potential victims to download Android e-commerce malware from buttons on malicious websites. Instead of directing users to Google Play, the buttons direct users to servers under the control of cybercriminals.
To be successful, this attack requires victims to authorize the “Install unknown apps” option, which is not enabled by default, on their devices. After making a purchase in these apps, victims can pay by credit card, or by transferring the amount from their bank accounts. At the time of this ESET investigation, it was not possible to select the card payment option.
By choosing the direct transfer method, a fake payment page is presented with the option to select one of the 8 Malaysian banks, then asked to enter the credentials. After users submit their information, they receive an error message informing them that the entered username or password is invalid. At this point, the credentials entered are sent to the malware operators.
To ensure that malicious actors obtain users' banking information, fake e-commerce apps also forward all SMS messages received by users to cybercriminals if they contain 2-factor authentication codes sent by the bank.
The three Android apps analyzed by ESET contain the same malicious code. The cybersecurity expert concluded that the applications can be attributed to the same malicious agent.