A threat actor named InTheBox is offering 1,894 web injects for sale on Russian cybercrime forums. These web injects are designed to steal credentials and sensitive data from banking, cryptocurrency exchange, and e-commerce apps. The overlays are compatible with various Android banking malware and mimic apps operated by major organizations used in dozens of countries on almost all continents. The low prices of the web injects allow cybercriminals to focus on other parts of their campaigns, such as the development of the malware, and to widen their attack to other regions. Mobile banking trojans check what apps are present on an infected device and pull from the command and control server the web injects corresponding to the apps of interest. When the victim launches a target app, the malware automatically loads the overlay that mimics the interface of the legitimate product. InTheBox provides up-to-date injects for hundreds of apps, and also sells web injects individually for $30 each. The shop also allows users to order custom injects for any malware. InTheBox's web inject packages include app icon PNGs and an HTML file with JavaScript code that collects the victims credentials and other sensitive data. In most cases, the injects feature a second overlay that requests the user to enter credit card numbers, expiration dates, and CVV numbers. The stolen data is converted into string value and sent to a server controlled by the operator of the Android banking trojan. InTheBox has been selling web injects for Android malware since February 2020, and has been used by the Coper and the Alien Android trojans in 2021 and September 2022, respectively, while the most recent campaign occurred in January 2023 and targeted Spanish banks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 01 Feb 2023 22:32:03 +0000