SMS scam tricks Indian bank customers into installing malicious apps

by James · December 8, 2022

Zscaler’s ThreatLabz researchers recently observed the emergence of a sophisticated phishing campaign being propagated via fake banking websites targeting major Indian banks such as HDFC, AXIS and SBI. The team will continue to monitor the new situation and will provide an update on any important new developments. In the past, ThreatLabz researchers have observed Indian bank customers being targeted with fake complaint forms from phishing websites that spread Short Message Service (SMS) malware. In contrast, this new campaign exploits fake card renewal websites to spread Android-based phishing malware aimed at collecting banking information for financial fraud.

Campaign 1: Targeting HDFC and Axis banks

Threatlabz researchers observed domains serving links for fake banking related application downloads as shown in Fig.1 and Fig.2 below.

Fig 1. Impersonated phishing website targeting HDFC bank customers

Fig 2. Imitation phishing page aimed at Axis bank customers

The two screenshots shown above show how these phishing scammers pretend to be bank websites to get customers’ sensitive information by encouraging them to fill out fake applications to redeem their earned card points for cash or a voucher. In most cases, these sites are spread through SMS text messages to victims. When a user clicks on the contained link, the victim is prompted to install an Android-based phishing malware designed to steal critical financial data.

Fig 3. Phishing Page for HDFC Bank Credit Card Application

Upon opening the app, the user will see the fake page as shown in Fig. 3, which asks them to enter sensitive information, including card number, expiration date, cardholder name, phone number, DOB, etc., to redeem points for cash or coupons, shown in the screenshot above. When the victim submits sensitive information in the fake form, the malware sends a copy to the command-and-control server (C2) shown in the screenshot below.

Fig 4. Creation of a phishing page in the app and C2

Upon the second run or completion of the requested tasks, a timer screen is displayed to the user, revealed in the code shown in Fig. 5 below.

Fig. 5. The last page is shown to the user as the second snap in Fig. 3

After receiving all of the victim’s sensitive form-filling information, including card details, the threat actor is now able to initiate fraudulent financial transactions. All they need to carry out the attack is a one-time password (OTP).

To collect the OTP, victims are further asked to give SMS permission to access the malicious app at the time of installation. When the user grants this access to SMS permissions, the malware is able to exfiltrate received SMS text messages containing the OTP codes they need. To complete a transaction initiated using the user’s card details, the application will capture the OTP codes and forward them to the C2 server.

Fig 6. Writing phishing data in shared preferences and MFA extraction

This malware also uses a masking technique that prevents it from running again. It writes data in the modifiable shared preferences using the initial installation data written in the “time” object as a reference point to block users from viewing the card’s phishing page again.

Fig 6. Obfuscation to not load the phishing page after the first run

Campaign 2: Targeting SBI bank customers with KYC verification scam

In other campaigns, ThreatLabz researchers observed adversaries sending SMS text messages asking users to immediately update their “Know Your Customer” (KYC) identity verification bank requirement or perform some other similar urgent action to avoid account blocking or locking. This false sense of urgency, created by adversaries, is very effective in convincing victims to perform the requested action, including downloading apps to perform the task. In the cases observed in this article, all of these requests were fake, and the attacks infected users with malicious apps and stole personal banking information.

The screenshot below shows an attack where the user is asked to download a malicious app to unlock their account.

Fig 7. Smishing campaigns

Unlike campaign 1 where applications were seen using fake in-app login pages, in this SBI bank KYC verification scam campaign, applications rely on command servers to render the phishing pages. ThreatLabz researchers believe that this is how the malware authors are able to create new campaigns so quickly, as only a few changes like updating C2 destinations are required to create a new campaign.

The application starts by asking users to login to a fake SBI bank website and then update the KYC verification, shown in fig. 8 below.

Fig 8. Fake login page redirect is hosted on firebase

Users are navigated through a number of web pages located on firebase when they enter their bank credentials, mobile number etc., shown in fig 9.

Fig 9. Phishing of login data is used to steal bank credentials

The user is asked to enter an OTP during each fake update step to make the application appear legitimate, shown in Fig. 10 below, this tactic can also be used to steal the OTP and gain access.

Fig 10. Ask users for OTP

The user is directed to a page and asked to provide bank information, shown in fig. 11 below. Along with the bank details, the user is asked to enter their Permanent Account Number (PAN).

Fig. 11. The application asks the user to provide sensitive bank information

Apart from collecting OTPs through phishing sites, malware developers have also implemented code routines to retrieve OTPs from incoming SMS text messages and send them to a secondary C2 as well as a hard-coded phone number, as shown below.

Fig 12. Code to send incoming SMS data to C2

Fig 13. Testing SMS data exfiltration to static number

Fig 14. Traffic showing data upload to an external server

The Zscaler sandbox is capable of detecting malware threat behavior and techniques.

Fig 15. Zscaler sandbox report showing detection of malicious applications

Zscaler advises users not to install any unknown applications sent via SMS text messages, especially if the messages identify themselves with a financial institution or bank, this is a common practice used by threat actors to impose a false sense of urgency on users immediately without further investigation.

Indicators of Compromise (IOC)

Campaign 1 IOCs

Domains:

hxxps[://]update your card[.]i/HDFC_creditcard[.]apk
hxxps[://]map update[.]in/
hxxps[://]map update[.]in/
hxxp[://]pointincash[.]xyz/hdfc_version1.0[.]9[.]1[.]apk

MD5s:

df0b9265d07ffe523884f98613db8401
47eebf0d4ab713d53ec9f3b992777c18
a57c255e5e69d843a1c402df96ced959
ce8e95ef802d9943c2ff7abea1aa94da

Campaign 2 IOCs

Domains:

hxxps[://]sheltered-dawn-11337[.]herokuapp[.]no/SBI-KYC[.]apk
hxxps[://]sbi-kyc-update-immediate[.]web[.]app/SBI-KYC[.]apk
hxxps[://]sbi-users-kyc-1[.]web[.]app/SBI-KYC[.]apk
hxxps[://]sbi-user-kyc-app[.]web[.]app/SBI-KYC[.]apk
hxxps[://]kyc update app[.]web[.]app/SBI-KYC[.]apk
hxxps[://]sbi-kyc-apps-v-23[.]web[.]app/SBI-KYC[.]apk
hxxps[://]point dekho[.]xyz/save_sms[.]php
hxxps[://]sbi-kyc-app[.]web[.]app/sbi-kyc[.]apk
hxxps[://]sbi kyc points[.]web[.]app/sbi-kyc[.]apk
hxxps[://]sbi kyc points[.]firebase app[.]com/sbi-kyc[.]apk
hxxps[://]sbi-kyc-update-immediate[.]firebase app[.]com/sbi-kyc[.]apk
hxxps[://]applicationkyc[.]sides[.]dev/SBI-KYC[.]apk
hxxps[://]calm-fjord-69600[.]herokuapp[.]no/SBI-KYC[.]apk
hxxps[://]calm-garden-42338[.]herokuapp[.]no/SBI-KYC[.]apk
hxxps[://]please-visit now-immediately[.]no/SBI-KYC[.]apk
hxxps[://]publishing of India[.]top/SBI-KYC[.]apk

MD5s:

0076369748034430dd9345fecd0d130a
f8509e2b72b3ba5916d80888b990b285
f0b6619e42722673e6599471a048edb1
436370a26633fb3a86f2ae2f09bcdb18
1aa0baa0c2fa54a89ecbfe71225726c6
331a9054e877a7210789315f7bcd2620

*** This is a Security Bloggers Network syndicated blog from the Blog Category Feed written by Himanshu Sharma. Read the original post at: