Experts from the European IT security manufacturer ESET have discovered and analyzed a cybercrime campaign that is still ongoing. Unsuspecting online shoppers are to be tricked into downloading malicious apps. Once these applications get onto the smartphone, the hackers steal banking information using fake websites masquerading as legitimate services.
“In order to make the already convenient online shopping even more convenient, people are increasingly using their smartphones for shopping. These purchases now make up the majority of online shopping orders - most of them through vendor-specific applications," says ESET researcher Lukáš Štefanko, who analyzed the malicious apps. “The campaign is only targeting Malaysia at the moment but could later expand to other countries and banks. The attackers are currently only targeting bank data. In the future, however, there could also be theft of credit card information.”
Cybercrime campaign continues
This campaign was first reported in late 2021, with the attackers posing as a reputable cleaning service. The campaign was distributed via Facebook ads and tricked potential victims into downloading Android malware from a malicious website. In January 2022, the Malware Hunter team identified three more malicious websites and Android Trojans attributed to this campaign. Recently, ESET researchers found four more fake websites. All seven sites posed as services only available in Malaysia. ESET researchers found the same malware in all three malicious apps examined.
All fake - all a trap
The fake websites do not provide an opportunity to purchase directly from them. Instead, they contain buttons that pretend to download apps from Google Play. However, clicking these buttons does not lead to the Google Play Store but to servers with malicious apps controlled by the criminals. For this attack to be successful, victims must turn on the "Unknown origins" or "Unknown sources" option on their devices, which is not enabled by default. Upon completing the purchase, victims are offered payment options - they can either pay by credit card or by transferring the required amount from their bank account. At the time this research was conducted, it was not possible to select the credit card payment option.
Two-factor authentication is partially bypassed
After selecting the direct bank transfer option, victims are presented with a fake payment page asking them to select their bank from the eight Malaysian banks offered and then to enter their credentials. After entering their banking information, victims receive an error message informing them that the user ID or password provided is invalid. At this point, the credentials entered have already been sent to the malware operators. To ensure that the criminals can break into their victims' bank accounts, the fake shop applications also forward all SMS messages that the victim receives to the operators in case they use bank-sent codes for two-factor authentication. Authentication (2FA) included.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.