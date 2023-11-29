A campaign of Android malware aimed at Iranian banks it expanded its capabilities and incorporated additional evasion tactics to fly under the radar.

What is known about this series of apps with Android malware

This is what emerges from a new report from Zimperium, which has discovered further 200 associated malicious apps to this malicious operation, with those behind the attack which also carried out phishing attacks against financial institutions serving as targets via these apps with Android malware.

The Android Malware campaign first emerged in late July 2023, when Sophos made a detailed report of a cluster of 40 credential harvesting apps targeting customers of Bank Mellat, Bank Saderat, Resalat Bank and the Central Bank of Iran.

The main objective of these fake apps (Android malware masquerading as apps) is trick victims into granting them broad permissions and steal banking login credentials and credit card details by exploiting the Android accessibility services.

“Corresponding legitimate versions of the malicious apps are available on Cafe Bazaar, an Iranian Android marketplace, and they have millions of downloads“, said Sophos researcher Pankaj Kohli at the time, adding “The malicious imitations, on the other hand, were available for download from a large number of relatively new domains, some of which the threat actors also used as C2 servers.”

Interestingly, some of these domains have also been observed in serving phishing HTML pages designed to steal credentials from mobile users.

The latest discoveries of Zimperium illustrate the ongoing evolution of the threat, not only in terms of a broader set of targeted banks and cryptocurrency wallet apps, but also in incorporating previously undocumented features that make it more powerful.

This includes using the Accessibility Service to grant additional permissions to intercept SMS messages, prevent uninstallation and click user interface elements.

Some variants of the malware were also found accessing a README file within the GitHub repositories to extract a Base64 encoded version of the command and control (C2) server and phishing URLs.

“This allows attackers to quickly respond to phishing site removals by updating the GitHub repository, ensuring that malicious apps always get the latest active phishing site“said Zimperium researchers Aazim Yaswant and Vishnu Pratapagiri.

Another notable tactic is the use of intermediate C2 servers to host text files that contain encoded strings pointing to phishing sites.

While the campaign has so far turned its attention to Android, there is evidence that Apple’s iOS operating system is also a potential targetas phishing sites check whether the page is opened from an iOS device and, if so, direct the victim to a website that mimics the iOS version of the Bank Saderat Iran app.