Threat actors have been distributing malicious applications under the guise of seemingly harmless shopping apps to target customers of eight Malaysian banks since at least November 2021.
The attacks involved setting up fraudulent but legitimate-looking websites to trick users into downloading the apps, Slovak cybersecurity firm ESET said in a report shared with The Hacker News.
The copycat websites impersonated cleaning services such as Maid4u, Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia.
“The threat actors use these fake e-shop applications to phish for banking credentials,” ESET said. “The apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank. “
The targeted banks include Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.
The websites were distributed via Facebook ads and encourage visitors to download the Android apps that the attackers claim are available from the Google Play Store. However, they redirect the users to their rogue servers.
It’s important to note that this attack relies on potential victims enabling the “Install unknown applications” option, which is not the default on their device in order for the attack to work. Five of the five abused apps don’t have an app in Google Play.
Once launched, the apps prompt the users to sign in to their accounts, allowing them to place fake orders, following which options are presented to complete the checkout process by including a fund transfer from their bank accounts.
“Terrorists are asked to select the direct transfer option and they will be presented with [with] a fake FPX page asking them to pick their bank from the eight Malaysian banks. Then, they must enter their credentials,” Lukas Stefanko, ESET malware researcher, said.
The ultimate goal of the campaign is to steal the banking credentials entered by the users and exfiltrate it to the attacker-controlled server, while displaying an error message that the entered user ID or password is invalid.
Fake apps can also access SMS messages and send them to remote servers in case the accounts have two-factor authentication.
” While the campaign is limited to Malaysia, Stefanko stated that it could expand to other countries or banks in the future. The attackers may be after bank credentials at the moment, but could also steal credit card details in the future. “