SMS scam tricks Indian bank customers into installing malicious apps
Zscaler’s ThreatLabz researchers recently observed the emergence of a sophisticated phishing campaign being propagated via fake banking websites targeting major Indian banks such as HDFC, AXIS and SBI. The team will continue to monitor the new situation and will provide an update on any important new developments. In the past, ThreatLabz researchers have observed Indian bank customers being targeted with fake complaint forms from phishing websites that spread Short Message Service (SMS) malware. In contrast, this new campaign exploits fake card renewal websites to spread Android-based phishing malware aimed at collecting banking information for financial fraud.
Campaign 1: Targeting HDFC and Axis banks
Threatlabz researchers observed domains serving links for fake banking related application downloads as shown in Fig.1 and Fig.2 below.
Fig 1. Impersonated phishing website targeting HDFC bank customers
Fig 2. Imitation phishing page aimed at Axis bank customers
The two screenshots shown above show how these phishing scammers pretend to be bank websites to get customers’ sensitive information by encouraging them to fill out fake applications to redeem their earned card points for cash or a voucher. In most cases, these sites are spread through SMS text messages to victims. When a user clicks on the contained link, the victim is prompted to install an Android-based phishing malware designed to steal critical financial data.
Fig 3. Phishing Page for HDFC Bank Credit Card Application
Upon opening the app, the user will see the fake page as shown in Fig. 3, which asks them to enter sensitive information, including card number, expiration date, cardholder name, phone number, DOB, etc., to redeem points for cash or coupons, shown in the screenshot above. When the victim submits sensitive information in the fake form, the malware sends a copy to the command-and-control server (C2) shown in the screenshot below.
Fig 4. Creation of a phishing page in the app and C2
Upon the second run or completion of the requested tasks, a timer screen is displayed to the user, revealed in the code shown in Fig. 5 below.
Fig. 5. The last page is shown to the user as the second snap in Fig. 3
After receiving all of the victim’s sensitive form-filling information, including card details, the threat actor is now able to initiate fraudulent financial transactions. All they need to carry out the attack is a one-time password (OTP).
To collect the OTP, victims are further asked to give SMS permission to access the malicious app at the time of installation. When the user grants this access to SMS permissions, the malware is able to exfiltrate received SMS text messages containing the OTP codes they need. To complete a transaction initiated using the user’s card details, the application will capture the OTP codes and forward them to the C2 server.
Fig 6. Writing phishing data in shared preferences and MFA extraction
This malware also uses a masking technique that prevents it from running again. It writes data in the modifiable shared preferences using the initial installation data written in the “time” object as a reference point to block users from viewing the card’s phishing page again.
Fig 6. Obfuscation to not load the phishing page after the first run
Campaign 2: Targeting SBI bank customers with KYC verification scam
In other campaigns, ThreatLabz researchers observed adversaries sending SMS text messages asking users to immediately update their “Know Your Customer” (KYC) identity verification bank requirement or perform some other similar urgent action to avoid account blocking or locking. This false sense of urgency, created by adversaries, is very effective in convincing victims to perform the requested action, including downloading apps to perform the task. In the cases observed in this article, all of these requests were fake, and the attacks infected users with malicious apps and stole personal banking information.
The screenshot below shows an attack where the user is asked to download a malicious app to unlock their account.
Fig 7. Smishing campaigns
Unlike campaign 1 where applications were seen using fake in-app login pages, in this SBI bank KYC verification scam campaign, applications rely on command servers to render the phishing pages. ThreatLabz researchers believe that this is how the malware authors are able to create new campaigns so quickly, as only a few changes like updating C2 destinations are required to create a new campaign.
The application starts by asking users to login to a fake SBI bank website and then update the KYC verification, shown in fig. 8 below.
Fig 8. Fake login page redirect is hosted on firebase
Users are navigated through a number of web pages located on firebase when they enter their bank credentials, mobile number etc., shown in fig 9.
Fig 9. Phishing of login data is used to steal bank credentials
The user is asked to enter an OTP during each fake update step to make the application appear legitimate, shown in Fig. 10 below, this tactic can also be used to steal the OTP and gain access.
Fig 10. Ask users for OTP
The user is directed to a page and asked to provide bank information, shown in fig. 11 below. Along with the bank details, the user is asked to enter their Permanent Account Number (PAN).
Fig. 11. The application asks the user to provide sensitive bank information
Apart from collecting OTPs through phishing sites, malware developers have also implemented code routines to retrieve OTPs from incoming SMS text messages and send them to a secondary C2 as well as a hard-coded phone number, as shown below.
Fig 12. Code to send incoming SMS data to C2
Fig 13. Testing SMS data exfiltration to static number
Fig 14. Traffic showing data upload to an external server
The Zscaler sandbox is capable of detecting malware threat behavior and techniques.
Fig 15. Zscaler sandbox report showing detection of malicious applications
Zscaler advises users not to install any unknown applications sent via SMS text messages, especially if the messages identify themselves with a financial institution or bank, this is a common practice used by threat actors to impose a false sense of urgency on users immediately without further investigation.
Indicators of Compromise (IOC)
Campaign 1 IOCs
hxxps[://]update your card[.]i/HDFC_creditcard[.]apk
Campaign 2 IOCs
hxxps[://]kyc update app[.]web[.]app/SBI-KYC[.]apk
hxxps[://]sbi kyc points[.]web[.]app/sbi-kyc[.]apk
hxxps[://]sbi kyc points[.]firebase app[.]com/sbi-kyc[.]apk
hxxps[://]publishing of India[.]top/SBI-KYC[.]apk
*** This is a Security Bloggers Network syndicated blog from the Blog Category Feed written by Himanshu Sharma. Read the original post at: