
Threat actors have been distributing malicious applications under the guise of seemingly harmless shopping apps to target customers of eight Malaysian banks since at least November 2021.
The attacks involved setting up fraudulent but legitimate-looking websites to trick users into downloading the apps, Slovak cybersecurity firm ESET said in a report shared with The Hacker News.
The copycat websites impersonated cleaning services such as Maid4u, Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy, and MaidACall, and a pet store named PetsMore, all of which are aimed at users in Malaysia.
“The threat actors use these fake e-shop applications to phish for banking credentials,” ESET said. “The apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank.”
The targeted banks include Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.
The websites, distributed through Facebook ads, urge visitors to download what the attackers claim to be are Android apps available on the Google Play Store, but in reality, redirect them to rogue servers under their control.
It’s worth noting here that the attack hinges on the prerequisite that the potential victims enable the non-default “Install unknown apps” option on their devices for it to succeed. What’s more, five of the abused services don’t even have an app on Google Play.
Once launched, the apps prompt the users to sign in to their accounts, allowing them to place fake orders, following which options are presented to complete the checkout process by including a fund transfer from their bank accounts.
“After picking the direct transfer option, victims are presented [with] a fake FPX payment page and asked to choose their bank out of the eight Malaysian banks provided, and then enter their credentials,” ESET malware researcher Lukáš Štefanko said.
The ultimate goal of the campaign is to steal the banking credentials entered by the users and exfiltrate it to the attacker-controlled server while displaying an error message that the entered user ID or password is invalid. Read more:https://bit.ly/3xa6jbv