researchers from cyber security identified malicious apps used to steal banking credentials customers of eight Malaysian banks. Experts have shared the details of this deception as a precaution since this technique could be replicated worldwide.
Cyber criminals try to steal bank details using fake websites posing as legitimate services. They usually use domain names very similar to official services and even directly copy the design of the original site to go unnoticed, they explain from Eset.
This campaign was first identified in late 2021. At the time the the Pirates they posed as the legitimate cleaning service Maid4u. The hoax was distributed via Facebook ads, asking potential victims to download the app, which actually contained malicious content.
In January 2022, MalwareHunterTeam shared information about three other malicious sites and trojans for Android attributed to this campaign. In addition to this, Eset researchers found four other fake websites. The seven sites have spoofed services that are only available in Malaysia: ssix of them offer cleaning servicessuch as Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, while ethe seventh is a pet store called PetsMore.
These bogus websites do not offer an option to buy directly through them. Instead, they include links to supposedly download apps from Google Play.. By clicking on these links, the user is not actually redirected to the official Google store but to servers controlled by cybercriminals.
“To be successful, this attack requires that the victims enable the “Install unknown apps” option on your devices, which is disabled by default. It is worth mentioning that five of the seven legitimate versions of these services do not even have an application available on Google Play,” pointed out Camilo Gutiérrez Amaya, head of the research lab at Eset Latin America.
After choosing the direct transfer option, victims are presented with a fake FPX payment page (Eset)
To appear legitimate, apps require users to log in once they are opened. The software takes any input from the user and always declares it correct. Maintaining the appearance of a genuine online store, the rogue apps pretend to offer products and services for purchase using an interface similar to that of the original stores.
When paying for the purchase, victims are presented with two payment options: they can pay by credit card or bank transfer.
Thus, the attackers obtain the banking identifiers of their victims. After choosing the direct transfer option, victims are presented with a fake FPX payment page and they are asked to choose a bank from eight Malaysian banking options and then enter their credentials. The banks targeted by this malicious campaign are Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia and Hong Leong Bank.
After victims submit their banking credentials, they receive an error message informing them that the username or password they provided is invalid.. At this point, the entered credentials have already been sent to the malware operators.
To ensure that the operators behind this campaign can gain access to their victims’ bank accounts, the fake online store apps also forward all SMS messages that the victim receives to the attackers in case any of these messages would contain the two-step authentication (2FA) code sent by the bank.
According to the research team, so far this malware campaign has only targeted Malaysia: online stores it impersonates, as well as banks targeted for stealing customer credentials , originate from that country, and app prices are displayed in the local currency, the Malaysian ringgit.
To protect yourself against these types of threats, you should do the following:
1. Only enter legitimate websites. Do not enter from links received or seen on the networks because you may be redirected to a fake page
2. Be careful when clicking on ads and do not follow the results offered by paid search engines as they may not lead to the official site.
3. Pay attention to the source of the apps you download. Make sure you are redirected to the Google Play store when you get an app.
4. Enable two-step verification, where possible. On this note he explains how to do it in detail, both in mail and social networks and other accounts.
Instead of taking SMS as the second factor; It is convenient to opt for the use of codes from applications such as Google Authenticator or physical keys.
5. Keep the software updated.
6. Use a security solution.