A campaign of Android malware aimed at Iranian banks it expanded its capabilities and incorporated additional evasion tactics to fly under the radar.
What is known about this series of apps with Android malware
This is what emerges from a new report from Zimperium, which has discovered further 200 associated malicious apps to this malicious operation, with those behind the attack which also carried out phishing attacks against financial institutions serving as targets via these apps with Android malware.
The Android Malware campaign first emerged in late July 2023, when Sophos made a detailed report of a cluster of 40 credential harvesting apps targeting customers of Bank Mellat, Bank Saderat, Resalat Bank and the Central Bank of Iran.
The main objective of these fake apps (Android malware masquerading as apps) is trick victims into granting them broad permissions and steal banking login credentials and credit card details by exploiting the Android accessibility services.
“Corresponding legitimate versions of the malicious apps are available on Cafe Bazaar, an Iranian Android marketplace, and they have millions of downloads“, said Sophos researcher Pankaj Kohli at the time, adding “The malicious imitations, on the other hand, were available for download from a large number of relatively new domains, some of which the threat actors also used as C2 servers.”
Interestingly, some of these domains have also been observed in serving phishing HTML pages designed to steal credentials from mobile users.
The latest discoveries of Zimperium illustrate the ongoing evolution of the threat, not only in terms of a broader set of targeted banks and cryptocurrency wallet apps, but also in incorporating previously undocumented features that make it more powerful.
This includes using the Accessibility Service to grant additional permissions to intercept SMS messages, prevent uninstallation and click user interface elements.
Some variants of the malware were also found accessing a README file within the GitHub repositories to extract a Base64 encoded version of the command and control (C2) server and phishing URLs.
“This allows attackers to quickly respond to phishing site removals by updating the GitHub repository, ensuring that malicious apps always get the latest active phishing site“said Zimperium researchers Aazim Yaswant and Vishnu Pratapagiri.
Another notable tactic is the use of intermediate C2 servers to host text files that contain encoded strings pointing to phishing sites.
While the campaign has so far turned its attention to Android, there is evidence that Apple’s iOS operating system is also a potential targetas phishing sites check whether the page is opened from an iOS device and, if so, direct the victim to a website that mimics the iOS version of the Bank Saderat Iran app.
It is currently unclear whether the iOS campaign either in the development stages or whether the apps are distributed through an as yet unidentified source.
Phishing campaigns are no less sophisticated, impersonating real websites to exfiltrate credentials, account numbers, device models and IP addresses of two Telegram channels controlled by the attackers.
“Evidently modern malware is becoming more sophisticated and the targets are broadening, so runtime visibility and protection are crucial for mobile applications“the researchers said.
This discovery comes just over a month after Fingerprint demonstrated a method by which malicious Android apps can stealthily access and copy clipboard data by leveraging permission SYSTEM_ALERT_WINDOW to dim the notification that appears when a specific application is reading clipboard data.
“You can overlay a toast with a different toast or any other view, completely hiding the original toast and preventing the user from being notified of clipboard actions“, has said Fingerprint. “Any application with SYSTEM_ALERT_WINDOW permission can read clipboard data without notifying the user.”
#Android #malware #apps #hits #Iranian #banks