Fake Malicious Clones of Android Apps Steal Bank Logins
Just a day after separate reports of fake Android apps spying on victims and spreading malware, security researchers are warning of other malicious Android apps that are used by their authors to steal their victims' banking information.
Malicious apps spoof real services
The update comes from security firm ESET and details three different Android apps used to steal banking logins and information from victims. All malicious mobile applications are targeting the Malaysian market and are built to mimic legitimate applications used in the Asian country.
The applications are targeting customers of over half a dozen Malaysian banking institutions. The malicious Android apps mimic legitimate mobile apps that are popular and widely used in the country.
The list of apps mimicked by the malware includes Maid4u - a brand offering house cleaning services, as well as other legitimate Android apps used by both cleaning and online shopping services. The other brands spoofed by the malware are Maideasy, Grabmaid, and MaidACall. The lineup is rounded off by a pet shop app called PetsMore. What is curious about the spoofing malicious apps campaign is that some of the apps don't even have a legitimate equivalent on the Google Play Store.
Some of the fake apps have websites set up by the malware operators to act as cover and lend an air of legitimacy to the malicious apps. The websites, of course, don't have any real purchasing functionality. Instead, they link the visitors to the malicious apps.
If the user agrees to install the app despite it not being sourced from the Google Play Store and thus flagged as an "unknown app", they are shown two options to buy the fake products and services inside the app. One option is to use a credit card, but that is disabled by default in the malicious apps. The other option is direct bank transfer.
Hackers intercept MFA text messages
Once the victim selects the bank transfer payment, they are offered an interface offering payment options for several Malaysian banks. Upon entering their bank account credentials to complete the fake purchase, the victim's information is siphoned to the hacker-controlled servers and the user is greeted by an error message - the only option since there is no real product associated with the malicious apps.
To make sure they can successfully breach the victim's bank account, the malware operators also intercept and forward text messages received by the victim's phone, allowing them to capture and use the multi-factor authentication code the victim may receive through SMS from their bank.