Saturday, December 14, 2024
HomeAndroidHacker Attacking Bank Users With AI-powered Phishing Tools and Android Malware

Hacker Attacking Bank Users With AI-powered Phishing Tools and Android Malware

Published on

SIEM as a Service

Cybersecurity firm Group-IB has uncovered a sophisticated cybercrime operation targeting Spanish banking customers.

The criminal group GXC Team has been using AI-powered phishing tools and Android malware to steal sensitive banking information.

This article delves into the GXC Team’s operational methods, the unique characteristics of its malicious tools, its attack strategies, and its effective defense mechanisms against such threats.

- Advertisement - SIEM as a Service

Emergence of the GXC Team

The GXC Team first appeared on the radar in January 2023. They operate through private channels on Telegram and the underground forum Exploit.in. They specialize in developing and selling phishing kits, Android malware, and AI-powered scam tools.

Their primary targets were users of Spanish banks, but their reach extended to governmental bodies, e-commerce platforms, and cryptocurrency exchanges in the United States, United Kingdom, Slovakia, and Brazil.

About GXC Team
About GXC Team

A classic malware-as-a-service model is at the core of the GXC Team’s operations. They offered their phishing kits for prices ranging from $150 to $900, while a bundle including the phishing kit and Android malware cost approximately $500 per month, as report by Group-IB.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Customers were provided with fully set-up phishing resources, complete with domain names that typically impersonated bank domains.

The GXC Team also configured the necessary infrastructure, making executing their attacks easier for other threat actors.

Innovative Tools and Tactics

Phishing Kits and Android Malware

The GXC Team’s primary tools included custom phishing kits and Android malware. These phishing kits were designed for 36 banks in Spain and 30 other institutions worldwide.

The Android malware was disguised as a banking application and was particularly effective at intercepting One-Time Password (OTP) codes sent from legitimate banks.

Here's a screenshot of an announcement made by the GXC Team on their Telegram chat about their SMS OTP stealer targeting Spanish banks.
Here’s a screenshot of an announcement made by the GXC Team on their Telegram chat about their SMS OTP stealer targeting Spanish banks.

One of the most notable features of the GXC Team’s tools was the bundling of phishing kits with SMS OTP stealer malware.

This combination allowed the attackers to prompt victims to download and install a banking application to prevent a “phishing attempt.”

Once installed, the application requested permissions to manipulate SMS, enabling the attackers to forward SMS from the victim’s device to a Telegram bot controlled by the GXC Team.

AI-Powered Voice Caller Feature

The GXC Team also integrated an AI-powered voice caller feature into their phishing kits. This feature enabled other threat actors to generate voice calls to victims, instructing them to provide their two-factor authentication (2FA) codes or install apps disguised as malware.

A screenshot of an announcement from the GXC team about the AI-powered voice caller feature on their Telegram channel.
A screenshot of an announcement from the GXC team about the AI-powered voice caller feature on their Telegram channel.

This innovative use of AI made the scam scenarios even more convincing and demonstrated how rapidly criminals adopt and implement AI tools in their schemes.

Attack Scenarios

Phishing Path

The attack typically began with the victim receiving a phishing lure via smishing (SMS phishing). The victim was directed to a phishing website where they were asked to provide initial credentials, such as their Spanish Tax Identification Number (NIF) and login details.

Example of a phishing page requesting an identity document.
Example of a phishing page requesting an identity document.

The threat actor received a notification in the admin panel or Telegram chat about the victim’s visit to the phishing website.

The attacker could request further personal information, such as a photo of an identity document (DNI), physical address, email address, phone number, and SMS OTP code.

This data appeared in the phishing kit admin panel or was sent to the Telegram chat controlled by the threat actor.

A screenshot of a phishing page requesting DNI
A screenshot of a phishing page requesting DNI

Android Malware Path

For some financial institutions, the phishing page deceived victims into downloading and installing a purported Android banking application.

Tragically, the victims were downloading malware designed to steal SMS OTPs. The malicious APK pretended to be a legitimate bank app, using a genuine logo and styles.

Example of a fake banking app requesting permissions
Example of a fake banking app requesting permissions

Upon installing the app, the victim was presented with a page asking permission to manipulate SMS. Once the app was the default SMS app, it could read, forward, and delete messages.

The app then opened a genuine bank’s website, allowing users to interact with it usually. Whenever the attacker triggered the OTP prompt, the Android malware silently received and forwarded SMS messages with OTP codes to the Telegram chat controlled by the threat actor.

GXC Android Malware Analysis

The GXC Team’s Android malware was primarily an SMS stealer type. Its core functionality was to receive SMS messages containing OTP login codes for bank logins and send them to a threat actor-controlled Telegram chat.

The malware requested specific permissions, such as READ_SMS and RECEIVE_SMS, and collected victim device information, including device hardware identifiers, IP addresses, and phone numbers.

To protect against such sophisticated attacks, users and financial institutions should adopt the following defense strategies:

  1. Multi-Factor Authentication (MFA): Use MFA methods that do not rely solely on SMS-based OTPs.
  2. Security Awareness Training: Educate users about phishing tactics and how to recognize suspicious messages and websites.
  3. Regular Software Updates: Ensure all devices and applications are regularly updated to patch vulnerabilities.
  4. Advanced Threat Detection: Implement advanced threat detection systems to identify and block phishing attempts and malware.
  5. Secure Communication Channels: Use secure communication channels for sensitive transactions and avoid sharing personal information over SMS or email.

The discovery of the GXC Team reveals an emerging cyber threat aimed specifically at Spanish banking customers. Their innovative combination of phishing kits, Android OTP stealer malware, and AI-powered voice calls make them a significant threat to the region.

As cybercriminals evolve their tactics, users and financial institutions must stay vigilant and adopt robust security measures to protect against such sophisticated attacks.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...