An Android malware campaign targeting Iranian banks has expanded its capabilities to include additional evasion tactics to fly under the radar.
This is according to a new report from Zimperium, which found over 200 malicious apps associated with malicious operations. Attackers have also been observed carrying out phishing attacks against targeted financial institutions. .
The campaign was first revealed in late July 2023, when Sophos revealed details about a cluster of 40 credential harvesting apps targeting customers of Merat Bank, Saderat Bank, Resalat Bank, and Central Bank of Iran. became.
The main purpose of fake apps is to exploit Android’s accessibility services to trick victims into granting extensive privileges and collect banking login credentials and credit card details.
Sophos researcher Pankaj Kohli said at the time: “The corresponding legitimate version of the malicious app is available on Cafe Bazaar, an Iranian Android marketplace, and has been downloaded millions of times.” Stated.
“Meanwhile, malicious counterfeits were available for download from a number of relatively new domains, some of which were also used by threat actors as C2 servers.”
Interestingly, some of these domains have also been observed serving HTML phishing pages aimed at stealing credentials from mobile users.
Zimperium’s latest findings demonstrate that this threat not only encompasses a wide range of targeted banks and crypto wallet apps, but also incorporates previously undocumented features that make it more powerful. shows that it is continuously evolving.
This includes using accessibility services to intercept SMS messages, prevent uninstallation, and grant additional permissions to click user interface elements.
Some variants of this malware have also been found to access README files in GitHub repositories to extract Base64-encoded versions of command-and-control (C2) servers and phishing URLs.
“This allows attackers to quickly respond to phishing site removal by updating GitHub repositories, ensuring malicious apps always have the latest active phishing sites.” said Zimperium researchers Azim Jaswant and Vishnu Pratapagiri.
Another notable tactic is the use of intermediate C2 servers to host text files containing encoded strings pointing to phishing sites.
The campaign has focused on Android so far, but based on the fact that the phishing site checks whether the page was opened on an iOS device and provides instructions to the user if it is, Apple’s iOS There is evidence that operating systems are also potential targets. Victim of a website that mimics the iOS version of the Bank Saderat Iran app.
It is unclear if the iOS campaign is still in development or if the app is being distributed through an as-of-yet unidentified source.
The phishing campaign is similarly sophisticated, impersonating real websites and exfiltrating credentials, account numbers, device models, and IP addresses to two Telegram channels controlled by the attackers.
“It’s clear that modern malware is becoming more sophisticated and expanding its targets, so runtime visibility and protection are critical for mobile applications,” the researchers said.
This development reveals how malicious Android apps can secretly access and copy clipboard data by leveraging the SYSTEM_ALERT_WINDOW permission to hide the toast notifications that appear when certain apps are reading clipboard data. This comes a little over a month after Fingerprint demonstrated it.
“It is possible to overwrite a toast with another toast or other view, and hiding the original toast entirely may prevent the user from being notified of clipboard actions,” Fingerprint said. . “An application with SYSTEM_ALERT_WINDOW permission can read clipboard data without notifying the user.”