Identify malicious apps that steal bank details, how to protect yourself

Cybersecurity researchers identified malicious applications used to steal bank credentials from customers of eight Malaysian banks. The experts shared details of this deception in a preventive way since this technique could be replicated worldwide.

Cybercriminals are trying to steal bank details using fake websites that pose as legitimate services. They usually use domain names that are very similar to the official services and even directly copy the design of the original site to go unnoticed, they explain from Eset.

This campaign was first identified at the end of 2021. Back then the hackers impersonated the legitimate Maid4u cleaning service. The hoax was distributed through Facebook ads, where potential victims are asked to download the app, which actually contained malicious content.

In January 2022, MalwareHunterTeam shared information about three other malicious sites and Android Trojans attributed to this campaign. In addition to that, Eset researchers found four other fake websites. The seven sites impersonated services that are only available in Malaysia: six of them offer cleaning services, such as Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidaCall, while the seventh is a pet store called PetsMore.

These fake websites do not provide the option to buy directly through them. Instead, they include links to supposedly download apps from Google Play. By clicking on these links, the user is not actually referred to the official Google store but to servers controlled by cybercriminals.

“To be successful, this attack requires victims to enable the 'Install unknown applications' option on their devices, which is disabled by default. It's worth mentioning that five of the seven legitimate versions of these services don't even have an application available on Google Play,” said Camilo Gutiérrez Amaya, Head of the Research Laboratory at Eset Latin America.

To appear legitimate, applications ask users to log in once they are opened. The software takes any input from the user and always declares it correct. While maintaining the appearance of a real online store, malicious applications aim to offer products and services to buy using an interface similar to that of the original stores.

When it comes time to pay for the purchase, victims are presented with two payment options: they can pay by credit card or by bank transfer.

Thus, the attackers obtain the bank credentials of their victims. After choosing the direct transfer option, victims are presented with a fake FPX payment page and asked to choose a bank from eight Malaysian bank options and then enter their credentials. The banks targeted by this malicious campaign are Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia and Hong Leong Bank.

After victims send their bank credentials, they receive an error message informing them that the username or password they provided is invalid. At this point, the credentials entered have already been sent to malware operators.

To ensure that the operators behind this campaign are able to access their victims' bank accounts, fake online store applications also forward to attackers all SMS messages that the victim receives in case any of those messages contains the two-step authentication code (2FA) sent by the bank .

According to the research team, until now this malware campaign has been targeting Malaysia only: both online stores whose identity is impersonated, and banks targeted for customer credential theft, are from Malaysia, and app prices are shown in the local currency, the Malaysian ringgit.

To protect against these types of threats, you must do the following:

1. Only enter legitimate websites. Do not enter from links that are received or viewed on networks because you could be redirected to a fake page

2. Be careful when clicking on ads and not following the results offered by paid search engines, as they may not lead to the official website.

3. Pay attention to the source of the applications you are downloading. Make sure you are redirected to the Google Play store when you get an app.

4. Enable two-step verification, whenever possible. This note explains how to do this in detail, both in email, social networks and other accounts.

Instead of taking SMS as a second factor, it is advisable to opt for the use of codes that come through applications such as Google Authenticator or physical keys.

5. Keep the software up to date.

6. Use a security solution.

KEEP READING: