Fake Messaging App Ads Are Spreading Chinese Banking MalwareChinese-Speaking Hackers Target Mobile Banking Customers Through App Downloads
Suspected Chinese threat actors are using fake web advertisements for popular instant messaging applications Kik and Viber to install mobile banking malware onto devices of Asian users.
Researchers at cybersecurity company Cyberint said they recently identified mobile banking malware that Chinese-speaking threat actors are distributing on two third-party Android Package Kit sites by disguising it in malicious advertisements to download the messaging applications.
Cyberint's analysis of the malware source code revealed that the attack had been directed at Asian countries.
Kik Messenger, developed by Canadian company Kik Interactive, is a free instant messaging mobile application with nearly 15 million active users. Viber, developed by Japanese company Rakuten, is a popular cross-platform VoIP and instant messaging application with over 1.1 billion users worldwide, including a large customer base in the Asia-Pacific region.
That is why the malware campaign poses "a substantial risk to users throughout the region," Cyberint said.
Once a user downloads a malicious APK file, the file asks users to approve "auto granting permissions" through the Accessibility Service to ensure the malware can operate freely in the infected device. Once installed, the malware looks for activity related to mobile apps from Vietnam's TPBank, VietinBank iPay and MB Bank and collects credentials and other information.
The malware could obtain a victim's account balance, device password, contacts, SMS data, photos and a list of currently installed applications. The malware also could take screenshots and recordings and exfiltrate the data to a remote command-and-control server.
The threat actors maintained a dashboard populated with data obtained from infected mobile devices. These data types included a mobile device's brand, time zone and language, infection status and time stamp, current available balance, machine code, whether a device is online or offline, and whether the screen is locked.
Cyberint said the malware code and the function responsible for establishing communication with the malware's command-and-control server contained characters written in Chinese. This, along with a screenshot of the threat actors' dashboard written in Chinese, led the researchers to assume that Chinese-speaking individuals or groups were behind the banking malware campaign targeting Asian users.
"The discovery of this mobile malware impersonating popular messaging applications poses a significant threat to mobile Android banking users, particularly in Asia. Its info-stealer capabilities and targeted focus highlight the need for heightened cybersecurity measures, user education and proactive defense strategies," Cyberint said.
Security researchers Emily Dennison and Alana Witten in late 2022 discovered a financially motivated Chinese threat group, dubbed Fangxiao, using thousands of fraudulent domains that impersonated the domains of multiple businesses operating in retail, banking, travel, pharmaceuticals, travel and energy sectors.
Fangxiao ran fake surveys on these domains and promised rewards to lure visitors into downloading an app, which in fact was Triada malware. Triada, in use since 2016, gives cybercriminals root access to infected devices and allows them to exfiltrate banking information and other device data and to download additional malware.