Hackers use malicious apps to target customers of 8 Malaysian banks, researchers say

Researchers at Slovak security firm ESET said they have found that three malicious Android apps are still targeting the customers of eight different Malaysian banks in a campaign that began late last year.

ESET researcher Lukáš Štefanko told The Record that they don’t have information on how many times these apps were downloaded or how widespread the campaigns is. But they found evidence confirming that attackers are still creating fake websites that pose as legitimate services.

Some of the websites are outright copying the original as a way to get people to download the apps. The apps not only steal banking credentials but allow attackers to forward all of the victim’s SMS messages to the malware operators in case they contain two-factor authentication codes sent by the bank.

According to ESET, the malicious apps are tied to websites spoofing legitimate services in Malaysia, including six clearing services and a pet store. The websites include Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, as well as a pet store named PetsMore, while the targeted banks are Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.

The websites urge visitors to download the malicious apps, and Štefanko said the shift to online shopping orders through vendor-specific applications has prompted a wave of malicious apps designed to trick people into entering sensitive information. All of the websites seen in the latest campaign use similar domain names to the services they are impersonating.

The attackers even used Facebook ads to distribute the fake websites and ESET said their findings were backed up by the MalwareHunterTeam, which found three other malicious websites and Android trojans attributed to the campaign.

In December, MaidACall warned its customers to be wary of scams using their name. The comment section features multiple people saying they had already been scammed. 

“The copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from Google Play. However, clicking these buttons does not actually lead to the Google Play store, but to servers under the threat actors’ control. To succeed, this attack requires the intended victims to enable the non-default “Install unknown apps” option on their devices. Interestingly, five of the seven legitimate versions of these services do not even have an app available on Google Play,” ESET said.  

“To appear legitimate, the applications ask the users to sign in after starting them up; there is however no account validation on the server side – the software takes any input from the user and always declares it correct. Keeping up the appearance of an actual e-shop, the malicious applications pretend to offer goods and services for purchase while matching the interface of the original stores. When the time comes to pay for the order, the victims are presented with payment options – they can pay either by credit card or by transferring the required amount from their bank accounts. During our research, it was not possible to pick the credit card option.”

Users are then taken to a fake FPX payment page and asked to choose their bank out of the eight Malaysian banks provided.

Bleeping Computer reported on one of the malicious apps in December and ESET found that the same FPX payment used then was currently being used by the three apps they discovered this year. That attack also featured attempts to spoof a fake cleaning website called “Cleaning Service Malaysia.”

Once the victim’s information is entered, they receive an error message saying their login information was invalid. At that point, their information has already been sent to the attacker. 

“While the campaign targets Malaysia exclusively for now, it might expand to other countries and banks later on. At this time, the attackers are after banking credentials, but they may also enable the theft of credit card information in the future,” adds Štefanko.