Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major Iranian Banks: Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran.

There were 40 credential-harvesting applications circulated on Cafe Bazaar between December 2022 and May 2023.

These applications mimicked the legitimate versions of the banking applications for stealing login credentials, credit card information, and SMS OTP codes.

However, recent research found that there were 245 of these applications which were not reported during the previous research.

28 out of these 245 applications were able to evade VirusTotal scanning. The samples of these applications were linked with the same threat actors.

Document

Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Capabilities of these New Variants

The new applications were found with several new capabilities, like checking the presence of other applications, and seemed to have expanded their targets to new banks.

Nevertheless, the applications are still under development by the malware developers as these new capabilities tend to expand their attack.

In addition to this, the applications also collected information about several cryptocurrency wallet applications. There are high possibilities that crypto wallets could be their future target.

Accessibility Service Abuse and Data Exfiltration

Furthermore, these applications were also found to be utilizing accessibility services for overlaying screens intended to harvest login credentials and credit card details.

They also abused other accessibility services such as Auto Grant of SMS permissions, preventions of uninstallation, and search & click of UI elements.

*Code containing Telegram channel ID (Source: Zimperium)*

As part of exfiltrating the data, some of the C2 servers were found to be consisting of a PHP source that had Telegram channel IDs and bot tokens. The threat actors also used GitHub to share the final C&C URL.

Furthermore, a complete report about these malware and variants has been published, which provides detailed information about the attack vectors, their source code, indicators of compromise, and other information.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.