An Android malware campaign targeting Iranian banks has expanded its capabilities and incorporated additional evasion tactics to fly under the radar.
That’s according to a new report from Zimperium, which was discovered more than 200 malicious apps involved in malicious operations, with the threat actor also observed to carry out phishing attacks against targeted financial institutions.
The campaign first came to light in late July 2023 when Sophos detailed a cluster of 40 credential harvesting applications targeting customers of Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran.
The main aim of fake apps is to trick victims into giving them extensive permissions as well as to harvest banking login credentials and credit card details through abuse. of Android accessibility services.
“The corresponding legitimate versions of the malicious apps are available on Cafe Bazaar, an Iranian Android marketplace, and have millions of downloads,” Sophos researcher Pankaj Kohli said at the time.
“Malicious imitations, on the other hand, are available for download from many new domains, some of which are also used by threat actors as C2 servers.”
Interestingly, some of these domains have also been observed serving HTML phishing pages designed to steal credentials from mobile users.
The latest findings from Zimperium will illustrate the continued evolution of the threat, not only in terms of a wider set of targeted banks and cryptocurrency wallet apps, but also includes previously undocumented features that make it more powerful.
This includes using the accessibility service to give it more permission to intercept SMS messages, prevent uninstallation, and click on user interface elements.
Some variants of the malware were also found to be able to access the README file within the GitHub repository to obtain the Base64-encoded version of the command-and-control (C2) server and phishing URLs.
“This allows attackers to quickly respond to phishing sites taken down by updating the GitHub repository, ensuring that malicious apps always get the latest active phishing site, ” said Zimperium researchers Aazim Yaswant and Vishnu Pratapagiri.
Another unusual tactic is to use intermediate C2 servers to host text files containing encoded strings pointing to phishing sites.
While the campaign is currently training its eyes on Android, there is evidence that Apple’s iOS operating system is also a potential target based on the fact that phishing sites confirm whether the page is opened on an iOS device, and if so, direct the victim to a website that mimics the iOS version of the Bank Saderat Iran app.
It is currently unclear if the iOS campaign is under development stages, or if the apps are distributed through a, for now, unknown source.
Phishing campaigns are less sophisticated, impersonating actual websites to obtain credentials, account numbers, device models, and IP addresses of two actor-controlled Telegram channels.
“It is clear that modern malware is becoming more sophisticated, and the targets are growing, so runtime visibility and protection are essential for mobile applications,” the researchers said.
The development comes a little more than a month after Fingerprint showed a method by which malicious Android apps can secretly access and copy clipboard data by using SYSTEM_ALERT_WINDOW allowing to hide the toast notification that is displayed when a particular app is reading clipboard data.
“It is possible to overdraw a toast either in a different toast or in any other view, completely hiding the original toast prevents the user from being notified of clipboard actions,” Fingerprint SAYS. “Any application with SYSTEM_ALERT_WINDOW permission can read clipboard data without notifying the user.”