During our research discovering threats in legitimate network traffic, activity generated by a certain type of Android Package Kit files kept hitting our radar.
Our research revealed a family of malicious APKs targeting Chinese users that steals victim information and conducts financial fraud.
To do this, the threat actor masquerades as a law enforcement official and says the target's phone number or bank account is suspected of being involved in financial fraud.
The threat actor then instructs the person to select their bank from the app and fill in their personal information, including payment card details.
Palo Alto Networks customers are better protected from this malicious APK through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire, DNS Security and Advanced URL Filtering.
We found indicators of the malicious APK activity we'll discuss in this post as early as November 2022.
Our analysis of the malicious APK samples reveals victims must have retrieved them from non-official third-party sources, due to the non-compliance of the APK with official Google Play Store submission policies.
The threat actors used this Android application to impersonate law enforcement authorities.
By blocking incoming phone calls and SMS messages, victims are not able to receive alerts about financial fraud from others or from legitimate law enforcement.
First, the threat actor masquerades as an official law enforcement authority and alleges the victim's phone number or bank account is suspected of being involved in financial fraud.
To convince people the app is legitimate, the threat actor provides a legal case number, and they ask the person to search for this case number in the malicious application.
The threat actor will also generate a fake legal case document with the intended victim's name on it.
As depicted in Figure 3, the malicious application requests the legal case number and the person's sensitive personal information.
Once a target fully believes the app is from a genuine law enforcement authority, the threat actor guides the person to download the next-stage payload. The app accomplishes this by sending a download link, under the pretext of investigating bank transactions and the source of deposited funds.
Once selected, the threat actors instruct victims to fill in their sensitive personal information, including payment card details.
Since the application can block incoming phone calls and SMS messages, these financial institutions cannot contact the victims through their Android device, which makes it more likely that victims will be trapped in the scam.
Since the domain used by the malicious APK files during their execution is legitimate, definitively identifying isolated connections as malicious becomes challenging.
Attackers take advantage of an information gap and the victim's fear of being embroiled in legal action, coupled with carefully designed social engineering attacks, to reap significant illegal profits.
To defend against the threat, we highly recommend that people do not download third-party applications from untrusted mobile application stores and do not share sensitive information with unknown sources.
Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance members.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Fri, 12 Jan 2024 12:13:04 +0000