In a recent revelation by mobile security firm Zimperium, a malicious campaign targeting mobile banking users in Iran has come to light, exposing a complex web of Android applications designed to pilfer sensitive information. The campaign initially surfaced in July, when cybersecurity company Sophos reported on 40 malicious applications circulating between December 2022 and May 2023, with a primary focus on users from four major Iranian banks—Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran.
These malicious apps, meticulously disguised as legitimate counterparts available on the popular Iranian marketplace Cafe Bazaar, were distributed through phishing websites. Their primary objectives included harvesting banking login credentials, stealing credit card data, intercepting SMS messages to bypass multi-factor authentication, and employing tactics to conceal their icons, making them challenging to remove.
However, Zimperium’s latest report reveals that the initially identified 40 applications were merely the tip of the iceberg. An additional 245 malicious applications linked to the same campaign have been uncovered, with 28 of them eluding detection by the VirusTotal scanning engine. These applications, attributed to the same threat actors, represent two subsequent iterations of Iranian mobile banking malware, each more sophisticated than the last.
The first iteration, identical to the previously reported malware, expanded its target list to include a total of 12 banking applications. Notably, it also scans infected devices for the presence of other apps, hinting at a potential expansion of the attackers’ scope in future endeavors, possibly reaching beyond banking applications to target cryptocurrency wallets.
The second iteration, according to Zimperium, introduces new capabilities and evasion techniques to enhance the campaign’s effectiveness. Leveraging Android’s accessibility services, these malicious apps display overlays for credential and credit card information theft, grant themselves additional permissions, resist uninstallation, and autonomously find and click on interface elements.
The attackers have demonstrated a high level of adaptability, employing Telegram channels for data exfiltration and utilizing GitHub repositories to host command-and-control (C&C) server URLs and phishing links. This infrastructure enables them to swiftly react to disruptions and maintain their campaign’s resilience.
While the primary targets seem to be Xiaomi and Samsung devices, the report suggests that the attackers may be gearing up for iOS device attacks. Phishing sites associated with the malware check for the device’s operating system, and if it is an iOS device, serve a website mimicking the iOS version of the app. This raises concerns about a potential iOS campaign currently in development or distributed through an unidentified source.
As this sophisticated mobile banking malware campaign continues to evolve, users are urged to remain vigilant and employ robust cybersecurity measures to safeguard their personal and financial information. Financial institutions and cybersecurity experts are also encouraged to collaborate in addressing this threat and fortifying defenses against such highly adaptive and persistent adversaries.