Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector

A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets. Four months ago, researchers from Sophos detailed a lengthy campaign involving 40 malicious banking apps designed to harvest credentials belonging to unwitting customers. By imitating four of the Islamic Republic's most significant financial institutions - Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran - hackers were able to install and hide their copycat apps on victims' phones, harvesting logins, intercepting SMS messages with one-time passcodes, and stealing sensitive financial information, including credit cards. A new blog post from Zimperium has revealed 245 more apps associated with the same, clearly ongoing campaign, 28 of which had not previously been recorded on VirusTotal. This new trove isn't just bigger - it's more diverse, and more sophisticated than the first 40 were, featuring new kinds of targets, and tactics for stealth and persistence. The 245 new apps discovered since the summer extend beyond the bounds of the original 40 by actively targeting four new Iranian banks, with some evidence that they have another four more in their sights. The attackers have also started probing for data relating to sixteen cryptocurrency platforms, including such popular ones as Metamask, KuCoin, and Coinbase. To facilitate the targeting of a dozen banks and 16 crypto hubs, the attackers have also added some new tools to their arsenal. One little trick they use to avoid infrastructure takedowns involves a command-and-control server with the lone purpose of distributing phishing links. As the researchers explained, this "Allows for the server URL to be hardcoded on the application without the risk of being taken down." The group's most notable new tactic is how its apps abuse accessibility services. "While using the accessibility API, they get a way to programmatically access the UI's elements," explains Nico Chiaraviglio, chief scientist of Zimperium. He explains that attackers can invisibly interact with the device in some of the same ways a user can, to malicious effect. "They can request for dangerous permissions and when the user is prompted to accept the permission, they click on 'Accept' before the user even sees the notification. Or they prevent uninstallation by clicking on 'Cancel' when the user tries to uninstall the app." Thus far the fake apps have been limited to Android devices. Among the attackers' belongings, the researchers did uncover phishing websites mimicking banking apps' Apple App Store pages, indicating that the campaign may expand to iPhones in the near future. Long before that happens, the campaign will have touched thousands. "Based on the information obtained from one of their Telegram channels, we know that there are thousands of victims. But we could only access one of the channels used and there is no guarantee that they didn't use other channels in the past."

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000


Cyber News related to Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector

Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector - A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets. Four months ago, researchers from ...
1 year ago Darkreading.com
29 malware families target 1,800 banking apps worldwide - Mobile banking is outpacing online banking across all age groups due to its convenience and our desire to have those apps at our fingertips, according to Zimperium. This surge is accompanied by a dramatic growth in financial fraud. The research ...
11 months ago Helpnetsecurity.com
Ten new Android banking trojans targeted 985 bank apps in 2023 - This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries. Banking trojans are malware that targets people's online bank ...
11 months ago Bleepingcomputer.com
Cybercriminals expand targeting of Iranian bank customers with known mobile malware - Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers. The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their ...
1 year ago Therecord.media
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
1 year ago Hackread.com
CVE-2019-10923 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7, SIMATIC S7-400 CPU 414F-3 PN/DP V7, SIMATIC S7-400 CPU 416-3 PN/DP V7, SIMATIC S7-400 CPU 416F-3 PN/DP V7, Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet ...
1 year ago
CVE-2019-13940 - A vulnerability has been identified in SIMATIC ET 200pro IM154-8 PN/DP CPU (All versions < V3.X.17), SIMATIC ET 200pro IM154-8F PN/DP CPU (All versions < V3.X.17), SIMATIC ET 200pro IM154-8FX PN/DP CPU (All versions < V3.X.17), SIMATIC ET ...
1 year ago
CVE-2019-10936 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7, SIMATIC S7-400 CPU 414F-3 PN/DP V7, SIMATIC S7-400 CPU 416-3 PN/DP V7, SIMATIC S7-400 CPU 416F-3 PN/DP V7, Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet ...
1 year ago
CVE-2022-25622 - A vulnerability has been identified in SIMATIC CFU DIQ, SIMATIC CFU PA, SIMATIC ET 200pro IM154-8 PN/DP CPU, SIMATIC ET 200pro IM154-8F PN/DP CPU, SIMATIC ET 200pro IM154-8FX PN/DP CPU, SIMATIC ET 200S IM151-8 PN/DP CPU, SIMATIC ET 200S IM151-8F ...
1 year ago
CVE-2019-19300 - A vulnerability has been identified in Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (All versions), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (All versions), KTK ATE530S (All versions), SIDOOR ATD430W (All versions), ...
1 year ago
CVE-2018-4843 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 414F-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 416-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU ...
1 year ago
PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions - A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of ...
1 year ago Thehackernews.com
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
11 months ago Cysecurity.news
Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores - Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors ...
2 months ago Hackread.com
How a Group of Train Hackers Exposed a Right-to-Repair Nightmare - Earlier this month, Polish hackers known as Dragon Sector accused one of Poland's largest train makers, Newag, of intentionally bricking its own trains when they're repaired by third parties. Newag threatened to sue Dragon Sector, but the story ...
11 months ago Packetstormsecurity.com
Check Point Research Report: Shift in Cyber Warfare Tactics - Highlights: Shift in Cyber Warfare Focus: Recent developments in cyber warfare reveal a shift in the activities of Iranian hacktivist proxies. Initially concentrated on Israel, these groups are now extending their cyber operations to include targets ...
1 year ago Blog.checkpoint.com
Ushering in the Next Phase of Mobile App Adoption: Bolstering Growth with Unyielding Security - In recent years, mobile apps have surged in popularity providing consumers with instant access to a variety of life essentials such as finances, education, and healthcare to life's pleasures such as shopping, sports, and gaming. With the popularity ...
11 months ago Cyberdefensemagazine.com
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
6 months ago Cisa.gov
FjordPhantom Android malware uses virtualization to evade detection - A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection. The malware was discovered by Promon, whose analysts report that it currently spreads via emails, SMS, and ...
1 year ago Bleepingcomputer.com
CVE-2021-20698 - Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
CVE-2021-20699 - Sharp NEC Displays ((UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
Halting Hackers on the Holidays 2023 Part II: The Apps You Trust - Most free flashlight apps are creepware - also known as malware that spies on you and your online behavior and could pass along information to others. The problem doesn't begin and end with flashlight apps, though. Many seemingly innocuous apps that ...
11 months ago Cyberdefensemagazine.com
Research Reveals That Infostealers Target Healthcare Sector Data - New research by Netskope Threat Labs has revealed that infostealers were the primary malware and ransowmare families used to target the healthcare sector. Healthcare was among the top sectors impacted during 2023 by mega breaches, an attack where ...
8 months ago Itsecurityguru.org
Over 90 malicious Android apps with 5.5M installs found on Google Play - Over 90 malicious Android apps were found installed over 5.5 million times through Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a recent surge in activity. Anatsa is a banking trojan that targets over 650 ...
6 months ago Bleepingcomputer.com
Microsoft: Iranian hackers target researchers with new MediaPl malware - Microsoft says that a group of Iranian-backed state hackers are targeting high-profile employees of research organizations and universities across Europe and the United States in spearphishing attacks pushing new backdoor malware. The attackers, a ...
10 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)