Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Fake e‑shops on the prowl for banking credentials using Android malware

April 17, 2022

ESET scientists examined 3 destructive applications targeting clients of 8 Malaysian financial institutions

The appeal of on-line purchasing has actually been expanding throughout the previous couple of years, a fad increased by the pandemic. To make this currently practical method of never ever needing to leave the sofa to acquire brand-new points a lot more practical, individuals are significantly utilizing their smart devices as opposed to computer systems to store: in Q1 2021, smart devices made up 69% of all retail site sees worldwide, and also mobile phone acquisitions comprised 57% of on-line purchasing orders. A significant facet of getting products and also solutions using a smart phone is that 53% of mobile phone individuals do it from vendor-specific applications.

Looking for the chance to earn a profit off this habits, cybercriminals manipulate it by deceiving anxious buyers right into downloading and install destructive applications. In a continuous project targeting the clients of 8 Malaysian financial institutions, danger stars are attempting to take financial qualifications by utilizing phony internet sites that impersonate reputable solutions, in some cases outright replicating the initial. These internet sites make use of comparable domain to the solutions they are posing the much better to bring in innocent sufferers.

Project summary

This project was first identified at the end of 2021, with the assailants posing the reputable cleaning company Maid4u. Dispersed with Facebook advertisements, the project lures prospective sufferers to download and install Android malware from a destructive site. It is still recurring since the magazine of this blogpost, with a lot more circulation domain names signed up after its exploration. In January 2022, MalwareHunterTeam shared three more malicious internet sites and also Android trojans credited to this project.

In addition to that, ESET scientists discovered 4 even more phony internet sites. All 7 internet sites posed solutions that are just offered in Malaysia: 6 of them, Grabmaid, Maria’s Cleansing, Maid4u, YourMaid, Maideasy and also MaidACall, deal cleaning company, and also the 7th is a pet shop called PetsMore. The side-by-side contrast of the reputable and also copycat variations of Grabmaid and also PetsMore can be seen in Numbers 1 and also 2, specifically.

Number 1. Grabmaid: reputable site left wing, imitator on the right

Number 2. PetsMore: reputable site left wing, imitator on the right

The copycat internet sites do not offer a choice to go shopping straight with them. Rather, they consist of switches that declare to download and install applications from Google Play. Nevertheless, clicking these switches does not really cause the Google Play shop, yet to web servers under the danger stars’ control. To be successful, this strike needs the desired sufferers to allow the non-default “Set up unidentified applications” choice on their gadgets. Remarkably, 5 of the 7 reputable variations of these solutions do not also have an application offered on Google Play.

To show up reputable, the applications ask the individuals to check in after beginning them up; there is nonetheless no account recognition on the web server side– the software application takes any kind of input from the customer and also constantly states it right. Maintaining the look of a real e-shop, the destructive applications pretend to supply products and also solutions for acquisition while matching the user interface of the initial shops (see Number 3 for a screenshot of the purchasing cart in among the destructive applications). When the moment concerns spend for the order, the sufferers exist with settlement alternatives– they can pay either by bank card or by moving the needed quantity from their checking account. Throughout our study, it was not feasible to choose the bank card choice.

Number 3. The purchasing cart in a destructive application

As we currently stated, the objective of the malware drivers is to get the financial qualifications of their sufferers. After selecting the straight transfer choice, sufferers exist a phony FPX settlement web page and also asked to select their financial institution out of the 8 Malaysian financial institutions gave, and after that enter their qualifications. The targeted financial institutions are Maybank, Affin Financial Institution, Public Financial Institution Berhad, CIMB financial institution, BSN, RHB, Financial Institution Islam Malaysia, and also Hong Leong Financial institution, as seen in Number 4.

Number 4. Targeted financial institutions

After regrettable sufferers send their financial qualifications, they get a mistake message educating them that the customer ID or password they gave was void (Number 5). Now, the gone into qualifications have actually been sent out to the malware drivers, as Number 6 programs.

Number 5. Mistake message presented to the sufferer after qualifications are exfiltrated

Number 6. Qualifications being sent out to the assailant’s web server

To make certain the danger stars can enter into their sufferers’ checking account, the phony e-shop applications additionally onward all SMS messages obtained by the sufferer to the drivers in situation they include Two-Factor Verification (2FA) codes sent out by the financial institution (see Number 7).

Number 7. All obtained SMS messages are sent to the assailant’s web server

Malware summary

The observed malware is instead minimalistic: it is developed to demand just one customer consent, which is to check out obtained text messages. Its objective is to phish for financial qualifications and also onward 2FA SMS messages from the jeopardized gadget to the drivers. Doing not have the performance to get rid of SMS messages from the gadget, the malware can not conceal that someone is attempting to enter into the sufferer’s savings account.

Up until now, the malware has actually been targeting just Malaysia– both the e-shops it poses and also the financial institutions whose clients’ qualifications it desires are Malaysian, and also the costs in the applications are all presented in the neighborhood money, the Malaysian Ringgit.

Among the solutions posed in the project, MaidACall, has actually currently cautioned its individuals of this deceitful project using a Facebook post (see Number 8). The remainder have actually not openly discussed the problem yet.

Number 8. Caution blog post by a solution that was posed throughout the project

We have actually discovered the exact same destructive code in all 3 examined applications, leading us in conclusion that they can all be credited to the exact same danger star.


To shield on your own versus this kind of danger, initially, attempt to make certain that you are utilizing reputable internet sites to store:

  • Validate if the site is safe, i.e., its link starts with https:// Some web browsers could also decline to open up non-HTTPS internet sites and also clearly caution individuals or offer a choice to allow HTTPS-only setting.
  • Watch out for clicking advertisements and also do not comply with paid online search engine results: it is feasible that they do not cause the main site

Aside from watching out for phony internet sites, right here are a few other helpful pointers to take pleasure in a more secure on-line purchasing experience on your mobile phone:

  • Focus on the resource of applications you are downloading and install. Make certain that you are really rerouted to the Google Play shop when obtaining an application
  • Usage software application or equipment 2FA as opposed to SMS when feasible
  • Usage mobile protection options to identify dangerous internet sites and also destructive applications

Final Thought

The observed project is a phony e-shop plan targeting the financial qualifications of Android individuals in Malaysia. It makes use of the appeal of utilizing smart devices to go shopping online. As opposed to phishing for financial qualifications on internet sites, the danger stars have actually presented Android applications right into the chain of concession, hence ensuring they have accessibility to 2FA SMS messages the sufferer is most likely to get. The plan depends on utilizing advertisements to tempt prospective sufferers right into accessing copycat variations of reputable internet sites. When there, a phony Google Play download and install switch routes them in the direction of a destructive application dispersed by the malware drivers using a third-party website.

While the project targets Malaysia specifically in the meantime, it could increase to various other nations and also financial institutions later. Currently, the assailants want banking qualifications, yet they might additionally allow the burglary of bank card info in the future.

For any kind of questions concerning our study released on WeLiveSecurity, please call us at [email protected]

ESET Study currently additionally provides exclusive suitable knowledge records and also information feeds. For any kind of questions concerning this solution, go to the ESET Threat Intelligence web page.

Indicators of concession (IoCs)


Initial seen MD5 SHA-1 SHA-256 Bundle name Summary C&C ESET discovery name
2022-01-04 CB66D916831DE128CCB2FCD458067A7D ABC7F3031BEC7CADD4384D49750665A1899FA3D4 9B4A0019E7743A46B49A4D8704FFD6E064DB2E5D8DB6DA4056F7EAE5369E16F9 Harmful application posing Grabmaid solution. muapks[.] online Android/Spy. SmsSpy.UZ
2022-02-23 8183862465529F6A46AED60E1B2EAE52 BEDDFE5A26811DCCCA7938D00686F8F745424F57 E949BAC52D39B6E207A7943EC778D96D8811FB63D4A037F70E5B6E6706A12986 Harmful application posed Maria’s Cleansing solution. m4apks[.] online Android/Spy. SmsSpy.UZ
2022‑02‑08 B6845141EC0F4665A90FB16598F56FAC 1C984FB282253A64F11EE4576355C1D5EFBEE772 D1017952D1EF0CEEC6C2C766D2C794E8CC4FB61B2FFA10ED6B6228E8CADF0B39 Harmful application posing Maid4u solution. maid4uapks90[.] online Android/Spy. SmsSpy.UZ
2022-01-03 43727320E8BF756FE18DB37483DAD0A0 E39C485F24D239867287DCD468FC813FDB5B7DB6 5F8A54D54E25400F52CE317BFDBBC866E11EA784AB2D5E3BD0A082A53C6B2D7B Harmful application posing MaidACall solution. grabsapks[.] online Android/Spy. SmsSpy.UZ
2022‑02‑09 C51BC547A40034F4828C72F37F2F1F39 1D33F53E2E9268874944C2F52E31CCAF2BF46A93 D8BE8F7B8B224FCA2BB3E7632F6B97B67A74202DC4456F8A79A8856B478C0C6E Harmful application posing MaidACall solution. grabmyapks90[.] online Android/Spy. SmsSpy.UZ
2022-01-08 4BEC6A07E881DB1A950367BEB1702ADA 9A5A57BF49DBBEF2E66FEE98E5C97B0276D03D28 A5C7373BE95571418C41AF0DE6A03CE78E82BC1F432E662C0DC42B988640E678 com.pets.lover Harmful application posing PetsMore solution. m4apks[.] online Android/Spy. SmsSpy.UZ
2022-01-17 4FD6255562B2A29C974235FD21B8D110 BA78B1177C3E2A569A665611E7684BCEEAF2168F DFF93FD8F3BC26944962A56CB6B31246D2121AE703298A86F20EA9E8967F6510 Harmful application posing PetsMore solution. m4apks[.] online Android/Spy. SmsSpy.UZ
2022-01-30 C7DCBD2B7F147A6450C62A8D67207465 0E910AD1C33BEF86C9FDBBE4654421398E694329 A091B15F008B117167A17A8DB4C19E60BD9C99F1047BC82D60E3FD42157333AE Harmful application posing YourMaid solution. grabmaidsapks80[.] online Android/Spy. SmsSpy.UZ
2021-10-09 71341FC2958E65D208F2770185C61D7A 5237D3FAE84BB5D611C80338CF02EB3793C30F02 4904C26E90DC4D18AD6A2D291AF2CD61390661B628F202ABFEDDF8056502F64A Harmful application posing Maid4u solution. 124.217.246[.] 203:8099 Android/Spy. SmsSpy.UJ
2021-12-13 CF3B20173330FEA53E911A229A38A4BC B42CD5EC736FCC0D51A1D05652631BE50C9456A0 6DB2D526C3310FAD6C857AA1310F74DC0A5FE21402E408937330827ACA2879B7 Harmful application posing Maideasy solution. meapks[.] xyz Android/Spy. SmsSpy.UZ


IP Service Provider Initial seen Information
185.244.150[.] 159 Dynadot 2022-01-20 19:36:29 token2[.] club
Circulation site
194.195.211[.] 26 Hostinger 2022-01-08 14:33:32 grabamaid-my[.] online
Circulation site
172.67.177[.] 79 Hostinger 2022-01-03 08:20:50 maidacalls[.] online
Circulation site
172.67.205[.] 26 Hostinger 2022-01-03 13:40:24 petsmore[.] online
Circulation site
172.67.174[.] 195 Hostinger 2022-02-23 00:45:06 cleangmy[.] website
Circulation site
N/A Hostinger 2022-01-24 17:40:14 my-maid4us[.] website
Circulation site
N/A Hostinger 2022-01-27 14:22:10 yourmaid[.] online
Circulation site
194.195.211[.] 26 Hostinger 2021-11-19 05:35:01 muapks[.] online
C&C web server
194.195.211[.] 26 Hostinger 2021-11-19 05:23:22 grabsapks[.] online
C&C web server
104.21.19[.] 184 Hostinger 2022-01-20 03:47:48 grabmyapks90[.] online
C&C web server
104.21.29[.] 168 Hostinger 2021-12-22 12:35:42 m4apks[.] online
C&C web server
172.67.208[.] 54 Hostinger 2022-01-17 09:22:02 maid4uapks90[.] online
C&C web server
172.67.161[.] 142 Hostinger 2022-01-22 06:42:37 grabmaidsapks80[.] online
C&C web server
2.57.90[.] 16 Hostinger 2022-01-10 23:51:29 puapks[.] online
C&C web server
124.217.246[.] 203 Hostinger 2021-09-15 03:50:28 124.217.246[.] 203:8099
C&C web server
172.67.166[.] 180 > Hostinger 2021-12-24 15:54:34 meapks[.] xyz
C&C web server

MITRE ATT&CK methods

This table was developed utilizing version 10 of the ATT&CK structure.

Technique ID Call Summary
First Gain Access To T1444 Pose as Legitimate Application Phony internet sites offer web links to download and install destructive Android applications.
T1476 Supply Harmful Application using Various Other Way Harmful applications are supplied using straight download web links behind phony Google Play switches.
Credential Gain Access To T1411 Input Prompt Malware shows phony financial institution visit displays to gather qualifications.
T1412 Capture SMS Messages Malware records obtained SMS messages so it has 2FA codes for financial institution logins.
Collection T1412 Capture SMS Messages Malware records obtained SMS messages that could include various other intriguing information besides 2FA codes for financial institution logins.
Exfiltration T1437 Conventional Application Layer Procedure Harmful code exfiltrates qualifications and also SMS messages over common HTTPS method.

Posted in SecurityTags:
Write a comment