Hackers are using malicious apps to target customers of 8 Malaysian banks, researchers say

Researchers at Slovak security firm ESET said they have found that three malicious Android apps are still targeting the customers of eight different Malaysian banks in a campaign that started late last year.

ESET researcher Lukáš Štefanko told The Record that they do not have information on how many times these apps were downloaded or how widespread the campaigns are. But they found evidence to confirm that attackers are still creating fake websites that pretend to be legitimate services.

Some of the sites directly copy the original as a way to get people to download the apps. The apps not only steal banking credentials, but allow attackers to forward all the victim’s SMS messages to the malware operators in case they contain two-factor authentication codes sent by the bank.

According to ESET, the malicious apps are linked to websites that spoof legitimate services in Malaysia, including six cleaning services and a pet store. The sites include Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, as well as a pet shop called PetsMore, while the targeted banks are Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.

The sites encourage visitors to download the malicious apps, and Štefanko said the shift to online shopping orders through vendor-specific applications has led to a wave of malicious apps designed to trick people into entering sensitive information. All of the sites seen in the latest campaign use similar domain names to the services they claim to be.

The attackers even used Facebook ads to distribute the fake sites, and ESET said its findings were backed up by MalwareHunterTeamwhich found three other malicious websites and Android Trojans associated with the campaign.

In December, MaidACall warned its customers to be wary of scams using their name. The comments section contains several people saying they had already been scammed.

“The copycat sites do not allow for direct shopping. Instead, they include buttons that claim to download apps from Google Play. However, clicking on these buttons does not actually lead to the Google Play store, but to servers under the control of the threat actors . To succeed, this attack requires the intended victims to enable the non-default ‘Install unknown apps’ option on their devices. Interestingly, five of the seven legitimate versions of these services do not even have an app available on Google Play,” ESET said.

“To appear legitimate, the applications ask users to log in after launching them; However, there is no server-side account validation – the software takes all input from the user and always declares it correctly. By maintaining the appearance of an actual online store, the malicious applications pretend to offer goods and services for purchase while matching the interface of the original stores. When it’s time to pay for the order, victims are given payment options – they can pay either by credit card or by transferring the required amount from their bank accounts. During our research, it was not possible to select the credit card option.”

Users are then taken to a fake FPX payment page and asked to select their bank from the eight Malaysian banks provided.

Bleeping Computer reported one of the malicious apps in December and ESET found that the same FPX payment used then was used by the three apps they detected this year. The attack also included attempts to spoof a fake cleaning website called “Cleaning Service Malaysia.”

Once the victim’s information is entered, they receive an error message stating that their login information is invalid. At that point, their information has already been sent to the attacker.

“Although the campaign is currently only targeting Malaysia, it may be expanded to other countries and banks later. At this point, the attackers are looking for bank credentials, but they may also enable the theft of credit card information in the future,” adds Štefanko.