Malicious banking applications: New phishing against Android and iOS users

ESET analyzed phishing campaigns that combine traditional techniques with the use of iOS and Android technologies to install vulnerable applications without the user's consent

ESET, a leading company in proactive threat detection, identified a phishing campaign aimed at mobile users that targeted bank customers. This novel criminal technique installs a phishing application from a third-party website without the user having to allow the installation of applications, it affects both iOS and Android users. Most of the cases known at the moment have occurred in the Czech Republic, and applications were directed to the Hungarian bank OTP Bank and the Georgian bank TBC Bank.

The ESET research team identified a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms: automated voice calls, SMS messages, and social media malvertising.

Voice call delivery was done via an automated call that warned the user about an outdated banking application and asked them to select an option on the keypad. After pressing the correct button, a phishing URL was sent via SMS.

The initial approach by SMS was carried out by indiscriminately sending messages to Czech telephone numbers. The message sent included a phishing link and a text for victims to perform social engineering and visit the link.

The spread through malicious ads was done by registering ads on Meta platforms such as Instagram and Facebook. These ads included a call to action, such as a limited offer for users to “download an update below.” This technique allowed threat actors to specify the target audience by age, gender, etc. The ads then appeared on the victims’ social networks.

After opening the URL delivered in the first stage, Android victims were faced with a high-quality phishing page that imitated the official Google Play Store page for the targeted banking app, or an imitation website of the app.

PWA phishing flow
PWA phishing flow

 

From there, victims are asked to install a “new version” of the banking app. Depending on the campaign, clicking the install/update button initiates the installation of a malicious application from the website, directly on the victim’s phone, either in the form of a WebAPK (Android users only), or as a Progressive Web App (PWA) for iOS and Android users. The highlight of this instance is that it bypasses traditional browser warnings to “install unknown apps”: this is the default behavior of Chrome’s WebAPK technology, which is abused by attackers.

The process is a little different for iOS users, as an animated pop-up tells victims how to add the phishing PWA to their home screen. The popup copies the look of native iOS messages. In the end, iOS users are not warned about adding a potentially harmful app to their phone.

Upon installation, victims are asked to enter their internet banking credentials to access their account through the new mobile banking application. All information provided is sent to the attackers’ C&C servers.

The malicious ads included a mashup of the bank’s official mascot (blue chameleon), as well as bank logos and text promising a financial reward for installing the app or warning users that a critical update had been released.

Example of a malicious ad used in these campaigns
Example of a malicious ad used in these campaigns

 

All stolen login information was recorded through a backend server, which then sent the banking login details entered by the user to a Telegram group chat. HTTP calls to send messages to the threat actor’s group chat were made through the official Telegram API. As mentioned by ESET: this technique is not new and is used in several phishing kits.

Warning

“Because two drastically different C&C infrastructures were used, we have determined that two different groups are responsible for the spread of phishing applications. More imitation apps will surely be created, since after installation it is difficult to separate legitimate apps from phishing ones. All sensitive information found during our investigation was quickly sent to the affected banks for processing. We also coordinate the dismantling of multiple phishing domains and C&C servers,” says Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Laboratory.

Contact coordinates with ESET in Venezuela: https://www.eset.com/ve/. Also, their social networks: Instagram @esetla) and Facebook: (ESET).

With information and reference image provided by ESET and Comstat Rowland

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on Twitter and Instagram

You might also like