Thursday, October 3, 2024
HomeCyber Security NewsIranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

Published on

An Android malware campaign was previously discovered that distributed banking trojans targeting four major Iranian Banks: Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran. 

There were 40 credential-harvesting applications circulated on Cafe Bazaar between December 2022 and May 2023.

These applications mimicked the legitimate versions of the banking applications for stealing login credentials, credit card information, and SMS OTP codes.

- Advertisement - EHA

However, recent research found that there were 245 of these applications which were not reported during the previous research.

28 out of these 245 applications were able to evade VirusTotal scanning. The samples of these applications were linked with the same threat actors.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Capabilities of these New Variants

The new applications were found with several new capabilities, like checking the presence of other applications, and seemed to have expanded their targets to new banks.

Nevertheless, the applications are still under development by the malware developers as these new capabilities tend to expand their attack.

In addition to this, the applications also collected information about several cryptocurrency wallet applications. There are high possibilities that crypto wallets could be their future target.

Accessibility Service Abuse and Data Exfiltration

Furthermore, these applications were also found to be utilizing accessibility services for overlaying screens intended to harvest login credentials and credit card details.

They also abused other accessibility services such as Auto Grant of SMS permissions, preventions of uninstallation, and search & click of UI elements.

Code containing Telegram channel ID (Source: Zimperium)
Code containing Telegram channel ID (Source: Zimperium)

As part of exfiltrating the data, some of the C2 servers were found to be consisting of a PHP source that had Telegram channel IDs and bot tokens. The threat actors also used GitHub to share the final C&C URL.

Furthermore, a complete report about these malware and variants has been published, which provides detailed information about the attack vectors, their source code, indicators of compromise, and other information.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...

Mario Duarte, Former Snowflake Cybersecurity Leader, Joins Aembit as CISO to Tackle Non-Human Identities

Aembit, the non-human IAM company, today announced the appointment of Mario Duarte as chief...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...