200+ Malicious Apps on Iranian Android Store Installed by Millions of Banking Users

200+ Malicious Apps on Iranian Android Store Installed by Millions of Banking Users

November 29, 2023 at 05:36AM

An expanded Android malware campaign aimed at Iranian banks now utilizes new evasion techniques and phishing tactics, with over 200 malicious apps identified. The malware seeks extensive permissions and steals credentials, leveraging Android accessibility services. Upgrades include SMS interception and resisting uninstallation, with infected apps receiving updates from GitHub and intermediate servers. Evidence suggests potential expansion to iOS devices.

Meeting Takeaways:

1. An Android malware campaign is targeting Iranian banks, expanding its scope and sophistication, according to a new report by Zimperium.

2. Over 200 malicious apps linked to the campaign have been identified, which also engage in phishing attacks against the targeted financial institutions.

3. The malware was initially reported by Sophos in July 2023, with 40 credential-harvesting apps spoofing legitimate banking apps such as those of Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran.

4. The attackers aim to trick users into granting extensive permissions to these malicious apps, enabling them to harvest banking credentials and credit card details by abusing Android’s accessibility services.

5. The genuine versions of the apps being imitated are available on Cafe Bazaar, a popular Iranian Android marketplace.

6. The malicious apps were distributed via new domains, some of which also served as command-and-control (C2) servers, and several were found to offer phishing pages to steal mobile user credentials.

7. The malware has evolved to target a wider array of institutions including cryptocurrency wallets and uses new features to increase its effectiveness. These features include intercepting SMS messages, complicating uninstallation processes, and interacting with UI elements without user knowledge.

8. Some malware variants use GitHub repositories to retrieve updated phishing URLs and C2 server information, using this for dynamic updating and avoiding detection.

9. Intermediate C2 servers are also employed to host encoded strings that point to phishing sites.

10. There’s evidence suggesting that the threat actors are considering or initiating an iOS-targeted campaign, as the phishing sites check for the device type and direct iOS users to a mimicked version of the Bank Saderat Iran app for iOS.

11. Sophisticated phishing campaigns that mimic legitimate sites are used to exfiltrate personal data like credentials, account information, device models, and IP addresses, which are sent to Telegram channels controlled by the attackers.

12. The complexity and evolving nature of modern malware demand real-time visibility and protection for mobile applications.

13. Recent discoveries by Fingerprint highlight new methods by which malicious Android apps can access and copy clipboard data without the user’s knowledge, emphasizing the ongoing challenges in mobile security.

14. It remains unclear how the iOS-targeted apps are distributed or if they are still in development.

Stay informed on similar topics by following related publications on Twitter and LinkedIn.

Full Article