The recognition of on-line procuring has been rising throughout the previous few years, a pattern accelerated by the pandemic. To make this already handy method of by no means having to depart the sofa to purchase new issues much more handy, individuals are more and more utilizing their smartphones as an alternative of computer systems to buy: in Q1 2021, smartphones accounted for 69% of all retail web site visits worldwide, and smartphone purchases made up 57% of on-line procuring orders. A noteworthy side of shopping for items and companies through a cell gadget is that 53% of smartphone customers do it from vendor-specific purposes.
Looking for the chance to make a revenue off this conduct, cybercriminals exploit it by tricking keen buyers into downloading malicious purposes. In an ongoing marketing campaign focusing on the shoppers of eight Malaysian banks, menace actors are attempting to steal banking credentials through the use of faux web sites that pose as respectable companies, generally outright copying the unique. These web sites use comparable domains to the companies they’re impersonating the higher to draw unsuspecting victims.
Marketing campaign overview
This marketing campaign was first identified on the finish of 2021, with the attackers impersonating the respectable cleansing service Maid4u. Distributed by means of Fb adverts, the marketing campaign tempts potential victims to obtain Android malware from a malicious web site. It’s nonetheless ongoing as of the publication of this blogpost, with much more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious web sites and Android trojans attributed to this marketing campaign.
On high of that, ESET researchers discovered 4 extra faux web sites. All seven web sites impersonated companies which might be solely obtainable in Malaysia: six of them, Grabmaid, Maria’s Cleansing, Maid4u, YourMaid, Maideasy and MaidACall, provide cleansing companies, and the seventh is a pet retailer named PetsMore. The side-by-side comparability of the respectable and copycat variations of Grabmaid and PetsMore will be seen in Figures 1 and a couple of, respectively.
Determine 1. Grabmaid: respectable web site on the left, copycat on the precise
Determine 2. PetsMore: respectable web site on the left, copycat on the precise
The copycat web sites don’t present an possibility to buy straight by means of them. As an alternative, they embrace buttons that declare to obtain apps from Google Play. Nevertheless, clicking these buttons doesn’t truly result in the Google Play retailer, however to servers underneath the menace actors’ management. To succeed, this assault requires the meant victims to allow the non-default “Set up unknown apps” possibility on their gadgets. Apparently, 5 of the seven respectable variations of those companies don’t even have an app obtainable on Google Play.
To look respectable, the purposes ask the customers to sign up after beginning them up; there’s nonetheless no account validation on the server facet – the software program takes any enter from the person and all the time declares it right. Maintaining the looks of an precise e-shop, the malicious purposes fake to supply items and companies for buy whereas matching the interface of the unique shops (see Determine 3 for a screenshot of the procuring cart in one of many malicious apps). When the time involves pay for the order, the victims are offered with fee choices – they will pay both by bank card or by transferring the required quantity from their financial institution accounts. Throughout our analysis, it was not attainable to choose the bank card possibility.
Determine 3. The procuring cart in a malicious software
As we already talked about, the purpose of the malware operators is to acquire the banking credentials of their victims. After selecting the direct switch possibility, victims are offered a faux FPX fee web page and requested to decide on their financial institution out of the eight Malaysian banks supplied, after which enter their credentials. The focused banks are Maybank, Affin Financial institution, Public Financial institution Berhad, CIMB financial institution, BSN, RHB, Financial institution Islam Malaysia, and Hong Leong Financial institution, as seen in Determine 4.
Determine 4. Focused banks
After unlucky victims submit their banking credentials, they obtain an error message informing them that the person ID or password they supplied was invalid (Determine 5). At this level, the entered credentials have been despatched to the malware operators, as Determine 6 reveals.
Determine 5. Error message exhibited to the sufferer after credentials are exfiltrated
Determine 6. Credentials being despatched to the attacker’s server
To ensure the menace actors can get into their victims’ financial institution accounts, the faux e-shop purposes additionally ahead all SMS messages acquired by the sufferer to the operators in case they include Two-Issue Authentication (2FA) codes despatched by the financial institution (see Determine 7).
Determine 7. All acquired SMS messages are forwarded to the attacker’s server
Malware description
The noticed malware is moderately minimalistic: it’s designed to request just one person permission, which is to learn acquired SMS messages. Its purpose is to phish for banking credentials and ahead 2FA SMS messages from the compromised gadget to the operators. Missing the performance to take away SMS messages from the gadget, the malware can’t disguise that any individual is making an attempt to get into the sufferer’s checking account.
Up to now, the malware has been focusing on solely Malaysia – each the e-shops it impersonates and the banks whose clients’ credentials it’s after are Malaysian, and the costs within the purposes are all displayed within the native foreign money, the Malaysian Ringgit.
One of many companies impersonated within the marketing campaign, MaidACall, has already warned its customers of this fraudulent marketing campaign through a Facebook post (see Determine 8). The remaining haven’t publicly commented on the difficulty but.
Determine 8. Warning submit by a service that was impersonated throughout the marketing campaign
We now have discovered the identical malicious code in all three analyzed purposes, main us to conclude that they will all be attributed to the identical menace actor.
Takeaways
To guard your self in opposition to one of these menace, first, attempt to make sure that you’re utilizing respectable web sites to buy:
- Confirm if the web site is safe, i.e., its URL begins with https://. Some browsers would possibly even refuse to open non-HTTPS web sites and explicitly warn customers or present an choice to allow HTTPS-only mode.
- Be cautious of clicking adverts and don’t comply with paid search engine outcomes: it’s attainable that they don’t result in the official web site
Aside from looking for faux web sites, listed below are another helpful tricks to get pleasure from a safer on-line procuring expertise in your smartphone:
- Take note of the supply of purposes you’re downloading. Just be sure you are literally redirected to the Google Play retailer when getting an software
- Use software program or {hardware} 2FA as an alternative of SMS when attainable
- Use cell safety options to detect dangerous web sites and malicious apps
Conclusion
The noticed marketing campaign is a faux e-shop scheme focusing on the banking credentials of Android customers in Malaysia. It exploits the recognition of utilizing smartphones to buy on-line. As an alternative of phishing for banking credentials on web sites, the menace actors have launched Android purposes into the chain of compromise, thus ensuring they’ve entry to 2FA SMS messages the sufferer is prone to obtain. The scheme depends on utilizing adverts to lure potential victims into accessing copycat variations of respectable web sites. As soon as there, a faux Google Play obtain button directs them in the direction of a malicious software distributed by the malware operators through a third-party web site.
Whereas the marketing campaign targets Malaysia solely for now, it’d broaden to different nations and banks in a while. Right now, the attackers are after banking credentials, however they might additionally allow the theft of bank card data sooner or later.
ESET Analysis now additionally affords non-public APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.
Indicators of compromise (IoCs)
Samples
| First seen | MD5 | SHA-1 | SHA-256 | Bundle title | Description | C&C | ESET detection title |
|---|---|---|---|---|---|---|---|
| 2022-01-04 | CB66D916831DE128CCB2FCD458067A7D | ABC7F3031BEC7CADD4384D49750665A1899FA3D4 | 9B4A0019E7743A46B49A4D8704FFD6E064DB2E5D8DB6DA4056F7EAE5369E16F9 | com.app.nice | Malicious app impersonating Grabmaid service. | muapks[.]on-line | Android/Spy.SmsSpy.UZ |
| 2022-02-23 | 8183862465529F6A46AED60E1B2EAE52 | BEDDFE5A26811DCCCA7938D00686F8F745424F57 | E949BAC52D39B6E207A7943EC778D96D8811FB63D4A037F70E5B6E6706A12986 | com.app.nice | Malicious app impersonated Maria’s Cleansing service. | m4apks[.]on-line | Android/Spy.SmsSpy.UZ |
| 2022‑02‑08 | B6845141EC0F4665A90FB16598F56FAC | 1C984FB282253A64F11EE4576355C1D5EFBEE772 | D1017952D1EF0CEEC6C2C766D2C794E8CC4FB61B2FFA10ED6B6228E8CADF0B39 | com.app.nice | Malicious app impersonating Maid4u service. | maid4uapks90[.]on-line | Android/Spy.SmsSpy.UZ |
| 2022-01-03 | 43727320E8BF756FE18DB37483DAD0A0 | E39C485F24D239867287DCD468FC813FDB5B7DB6 | 5F8A54D54E25400F52CE317BFDBBC866E11EA784AB2D5E3BD0A082A53C6B2D7B | com.app.companies | Malicious app impersonating MaidACall service. | grabsapks[.]on-line | Android/Spy.SmsSpy.UZ |
| 2022‑02‑09 | C51BC547A40034F4828C72F37F2F1F39 | 1D33F53E2E9268874944C2F52E31CCAF2BF46A93 | D8BE8F7B8B224FCA2BB3E7632F6B97B67A74202DC4456F8A79A8856B478C0C6E | com.app.nice | Malicious app impersonating MaidACall service. | grabmyapks90[.]on-line | Android/Spy.SmsSpy.UZ |
| 2022-01-08 | 4BEC6A07E881DB1A950367BEB1702ADA | 9A5A57BF49DBBEF2E66FEE98E5C97B0276D03D28 | A5C7373BE95571418C41AF0DE6A03CE78E82BC1F432E662C0DC42B988640E678 | com.pets.lover | Malicious app impersonating PetsMore service. | m4apks[.]on-line | Android/Spy.SmsSpy.UZ |
| 2022-01-17 | 4FD6255562B2A29C974235FD21B8D110 | BA78B1177C3E2A569A665611E7684BCEEAF2168F | DFF93FD8F3BC26944962A56CB6B31246D2121AE703298A86F20EA9E8967F6510 | com.app.nice | Malicious app impersonating PetsMore service. | m4apks[.]on-line | Android/Spy.SmsSpy.UZ |
| 2022-01-30 | C7DCBD2B7F147A6450C62A8D67207465 | 0E910AD1C33BEF86C9FDBBE4654421398E694329 | A091B15F008B117167A17A8DB4C19E60BD9C99F1047BC82D60E3FD42157333AE | com.app.nice | Malicious app impersonating YourMaid service. | grabmaidsapks80[.]on-line | Android/Spy.SmsSpy.UZ |
| 2021-10-09 | 71341FC2958E65D208F2770185C61D7A | 5237D3FAE84BB5D611C80338CF02EB3793C30F02 | 4904C26E90DC4D18AD6A2D291AF2CD61390661B628F202ABFEDDF8056502F64A | com.firm.gamename | Malicious app impersonating Maid4u service. | 124.217.246[.]203:8099 | Android/Spy.SmsSpy.UJ |
| 2021-12-13 | CF3B20173330FEA53E911A229A38A4BC | B42CD5EC736FCC0D51A1D05652631BE50C9456A0 | 6DB2D526C3310FAD6C857AA1310F74DC0A5FE21402E408937330827ACA2879B7 | com.nice.blue | Malicious app impersonating Maideasy service. | meapks[.]xyz | Android/Spy.SmsSpy.UZ |
Community
| IP | Supplier | First seen | Particulars |
|---|---|---|---|
| 185.244.150[.]159 | Dynadot | 2022-01-20 19:36:29 | token2[.]membership Distribution web site |
| 194.195.211[.]26 | Hostinger | 2022-01-08 14:33:32 | grabamaid-my[.]on-line Distribution web site |
| 172.67.177[.]79 | Hostinger | 2022-01-03 08:20:50 | maidacalls[.]on-line Distribution web site |
| 172.67.205[.]26 | Hostinger | 2022-01-03 13:40:24 | petsmore[.]on-line Distribution web site |
| 172.67.174[.]195 | Hostinger | 2022-02-23 00:45:06 | cleangmy[.]web site Distribution web site |
| N/A | Hostinger | 2022-01-24 17:40:14 | my-maid4us[.]web site Distribution web site |
| N/A | Hostinger | 2022-01-27 14:22:10 | yourmaid[.]on-line Distribution web site |
| 194.195.211[.]26 | Hostinger | 2021-11-19 05:35:01 | muapks[.]on-line C&C server |
| 194.195.211[.]26 | Hostinger | 2021-11-19 05:23:22 | grabsapks[.]on-line C&C server |
| 104.21.19[.]184 | Hostinger | 2022-01-20 03:47:48 | grabmyapks90[.]on-line C&C server |
| 104.21.29[.]168 | Hostinger | 2021-12-22 12:35:42 | m4apks[.]on-line C&C server |
| 172.67.208[.]54 | Hostinger | 2022-01-17 09:22:02 | maid4uapks90[.]on-line C&C server |
| 172.67.161[.]142 | Hostinger | 2022-01-22 06:42:37 | grabmaidsapks80[.]on-line C&C server |
| 2.57.90[.]16 | Hostinger | 2022-01-10 23:51:29 | puapks[.]on-line C&C server |
| 124.217.246[.]203 | Hostinger | 2021-09-15 03:50:28 | 124.217.246[.]203:8099 C&C server |
| 172.67.166[.]180> | Hostinger | 2021-12-24 15:54:34 | meapks[.]xyz C&C server |
MITRE ATT&CK methods
This desk was constructed utilizing version 10 of the ATT&CK framework.
| Tactic | ID | Identify | Description |
|---|---|---|---|
| Preliminary Entry | T1444 | Masquerade as Official Software | Pretend web sites present hyperlinks to obtain malicious Android apps. |
| T1476 | Ship Malicious App through Different Means | Malicious apps are delivered through direct obtain hyperlinks behind faux Google Play buttons. | |
| Credential Entry | T1411 | Enter Immediate | Malware shows faux financial institution log in screens to reap credentials. |
| T1412 | Seize SMS Messages | Malware captures acquired SMS messages so it has 2FA codes for financial institution logins. | |
| Assortment | T1412 | Seize SMS Messages | Malware captures acquired SMS messages that may include different attention-grabbing knowledge moreover 2FA codes for financial institution logins. |
| Exfiltration | T1437 | Normal Software Layer Protocol | Malicious code exfiltrates credentials and SMS messages over commonplace HTTPS protocol. |
