A recent report from Zimperium has unveiled an Android malware campaign designed to infiltrate Iranian banks, showcasing expanded capabilities and enhanced evasion strategies to evade detection.
The report highlights over 200 malicious apps linked to this operation, where threat actors have executed phishing attacks against specific financial institutions in Iran.
Initially detected in late July 2023, the campaign, originally identified by Sophos, centered on 40 apps aimed at customers of Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran. The malevolent apps aimed to acquire extensive permissions and harvest sensitive banking credentials and credit card details through Android’s accessibility services.
While the legitimate versions of these apps are available on the Iranian Android marketplace, Cafe Bazaar, with millions of downloads, the counterfeit variants were distributed via multiple new domains, doubling as command-and-control (C2) servers.
Recent observations reveal the campaign’s evolution, with an expanded target list encompassing more banks and cryptocurrency wallet apps. Notably, the malware now incorporates undocumented features, including intercepting SMS messages, preventing app uninstallation, and manipulating user interface elements by leveraging accessibility services.
Moreover, Zimperium researchers discovered a novel tactic involving GitHub repositories, allowing attackers to swiftly update phishing sites. The malware accesses README files within these repositories to obtain encoded strings pointing to active phishing URLs.
This sophisticated campaign also sets up intermediary C2 servers housing encoded strings for phishing sites, with indications suggesting a potential interest in targeting Apple’s iOS devices, evidenced by checks for iOS devices accessing the phishing pages.
While the iOS campaign’s exact status remains unclear, the Android operation predominantly targets Samsung and Xiaomi devices. The phishing tactics impersonate authentic websites and funnel stolen credentials and device information to designated Telegram channels.
In a parallel development, Fingerprint recently demonstrated a method enabling malicious Android apps to clandestinely access and copy clipboard data without user notification, leveraging the SYSTEM_ALERT_WINDOW permission to obscure notifications.