Press Center

• ESET researchers have analyzed three malicious Android applications targeting customers of eight Malaysian banks.
• In this ongoing campaign (begun in late 2021), attackers set up fake but legitimate-looking websites. The websites entice shoppers into downloading malicious applications.
• The threat actors use these fake e-shop applications to phish for banking credentials. The apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank.
• Currently, the campaign targets Malaysia exclusively but it might expand to other countries and banks later on. Moreover, the attackers may also enable the theft of credit card information in the malicious apps in the future.

BRATISLAVA, KOŠICE — April 6, 2022 — ESET researchers have analyzed three malicious Android applications targeting customers of eight Malaysian banks. To make a profit off customers who have increasingly turned to online shopping during the pandemic, cybercriminals are tricking these eager shoppers into downloading malicious applications. In an ongoing campaign, the threat actors are trying to steal banking credentials by using fake websites that pose as legitimate services, sometimes outright copying the original. These websites use similar domain names to the services they are impersonating.

“To make the already couch-friendly approach of online shopping even more convenient, people are increasingly using their smartphones to shop. Smartphone purchases make up the majority of online shopping orders – most of them from vendor-specific applications,” says ESET researcher Lukáš Štefanko, who analyzed the malicious applications.

This campaign was first reported at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempted potential victims to download Android malware from a malicious website. In January 2022, MalwareHunterTeam identified three more malicious websites and Android trojans attributed to this campaign. Recently, ESET researchers found four additional fake websites. All seven websites impersonated services that are only available in Malaysia.

The copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from Google Play. However, clicking these buttons does not actually lead to the Google Play store, but to servers under the threat actors’ control. To succeed, this attack requires the intended victims to enable the non-default “Install unknown apps” option on their devices.  When the time comes to pay for the order, the victims are presented with payment options – they can pay either by credit card or by transferring the required amount from their bank accounts. At the time this research was active, it was not possible to select the credit card payment option.

After picking the direct transfer option, victims are presented a fake FPX payment page and asked to choose their bank out of the eight Malaysian banks provided, and then enter their credentials. The targeted banks are Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. After the victims submit their banking credentials, they receive an error message informing them that the user ID or password they provided was invalid. At this point, the entered credentials have been sent to the malware operators. To make sure the threat actors can get into their victims’ bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain Two-Factor Authentication (2FA) codes sent by the bank.

“While the campaign targets Malaysia exclusively for now, it might expand to other countries and banks later on. At this time, the attackers are after banking credentials, but they may also enable the theft of credit card information in the future,” adds Štefanko.

ESET Research has found the same malicious code in all three analyzed applications, leading us to conclude that they can all be attributed to the same threat actor.

To protect yourself against this type of threat, first, try to ensure that you are using legitimate websites to shop:

• Verify if the website is secure, i.e., its URL begins with . Some browsers might even refuse to open non-HTTPS websites and explicitly warn users or provide an option to enable HTTPS-only mode.
• Be wary of clicking on ads and paid search engine results
• Pay attention to the source of applications you are downloading. Make sure that you are actually redirected to the Google Play store.
• Use software or hardware 2FA instead of SMS when possible and use mobile security solutions.

For more information, check out the blogpost “Fake e-shops on the prowl for banking credentials using Android malware” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

 

About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.