November 30, 2023 at 06:06AM
A mobile security firm discovered a malicious campaign using over 285 Android apps to steal bank credentials and credit card information from Iranian users. The malware, targeting at least 12 banking apps, uses phishing and evasion techniques, with plans to expand to cryptocurrency wallets. Attackers use Telegram and GitHub for data exfiltration and control.
**Meeting Summary: Mobile Banking Malware Campaign in Iran**
– **Background**: A cyber campaign, identified in July, is targeting Iranian mobile banking users.
– **Malicious Apps**: Hundreds of Android apps are involved, initially reported by Sophos to be 40 between December 2022 and May 2023.
– **Banking Targets**: The attack focuses on users of Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran.
– **Malware Functionality**:
– Steals banking login credentials and credit card information.
– Intercepts SMS messages to defeat multi-factor authentication.
– Conceals app icons to avoid detection and removal.
– **Distribution Method**: Apps are disguised as legitimate ones from the Cafe Bazaar marketplace and shared on phishing sites.
– **Zimperium Findings**:
– The campaign is larger than initially thought – 245 additional malicious apps discovered, including 28 not flagged by the VirusTotal engine.
– Two new malware iterations are linked to the same attackers.
– Iteration 1: Similar to the previous attack, adding new targets.
– Iteration 2: Introduces new capabilities and evasion techniques.
– **Targets Expansion**: Now targeting 12 banking apps and monitoring devices for cryptocurrency wallets (indicating future attack plans).
– **Attack Techniques**: Second iteration apps use Android accessibility services to steal data, grant permissions, prevent uninstallation, and enable interface interaction.
– **Data Exfiltration**: Attackers utilize Telegram channels and GitHub repositories for data theft and managing command-and-control (C&C) URLs and phishing links.
– **Device Focus**: Xiaomi and Samsung devices are primarily targeted, with specific actions for these models.
– **iOS Threat**: Phishing sites check for iOS devices, suggesting potential attacks on this platform may be in development or already occurring via an unknown method.
**Related Cybersecurity Concerns**:
– Xenomorph Android Banking Trojan in US, Canada.
– New Android Trojans in Asia via Google Play, Phishing.
– ‘BouldSpy’ Android Malware in Iranian Government Surveillance Operations.