Banking Trojan Targets Banking Users in Malaysia

Trojans pose a serious threat to Android devices as they are difficult to identify as they perform malicious activities behind the garb of legitimate features. This blog focuses on one such malicious Android application that pretends to be a cleaning service in Malaysia to target users through SMS stealing and stealing bank credentials. This application appears to be mimicking the official website of cleaningservicemalaysia[.]com by creating a fake website and Android application to trick unsuspecting users into stealing their SMS data and Net banking credentials. 

Cyble Research Labs came across a Twitter post, wherein researchers mentioned this Android malware. This malicious app has the name Cleaning Service Malaysia. On further analysis, we observed the Threat Actors (TAs) behind this also have a website hosted on hxxps://www.csapks.online/app_abc771_2sfacslfffcs2/cleaningservicemalaysia_888a/core/main[.]php.  

Once the execution of this malware is successful, it can steal sensitive data such as SMS data and Net Banking credentials of Malaysian banks. 

Technical Analysis 

​​APK Metadata Information 

  • ​App Name: Cleaning Service Malaysia 
  • ​Package Name: com.company.gamename 
  • ​SHA256 Hash: 7845bb247dbfad94018047afbb2f5e1d9e54752b620d995033c695d9a2d104a0  

​Figure 1 shows the metadata information of the application. 

Figure 1 Metadata Information 

​Figure 2 shows the application icon and name. 

​Figure 2 App Icon and Name 

Manifest Description

​The malware requests twenty-four different permissions, out of which few are declared multiple times. Out of these permissions, attackers can abuse one permission in particular, the RECEIVE_SMS permission.

​We have listed the dangerous permissions below. 

Permissions Description 
​RECEIVE_SMS ​Allows the app to receive and process SMS messages. 

Table 1: Permission Abused by the Malware 

​Figure 3 shows the launcher activity of the malware.​ 

​Figure 3 Launcher Activity Declared in the Manifest 

Source Code Description 

​The code snippet shown in Figure 4 shows how the malware receives the incoming messages and uploads them to the Command and Control (C&C) server. 

​Figure 4 Code to Steal SMSes 

​Figure 5 shows the traffic analysis of the malware where it sends incoming messages to the C&C server: hxxps://redlabapi[.]online/api_spa24125/api_espanol/api.php?sid=1295c8887ec39859&sms=hey,%20how%20are%20you. 

Figure 5 Traffic Analysis of Malware Sending Incoming SMS to the C&C Server 

Phishing Activities 

Once users schedule the cleaning service through this malicious application, the application requests for the user’s details such as name, phone number, and address, and sends the collected data to the C&C server as plain text, as shown in figure 6 and 7. 

Figure 6 App Requests User Details 
Figure 7 User Details Sent to C&C Server in Plain Text Observed from Traffic Analysis 

Once users enter the details, the malware requests them to complete the payment process for the cleaning service. We observed that to complete the transaction, the malware has listed multiple Malaysian banks’ Internet Banking options, as shown in the below figure. 

Figure 8 Payment Banks Lists Mentioned in Malicious App 

Once users continue with the payment process by choosing a bank’s Internet Banking service, the malware loads a page designed to look like the bank’s legitimate Internet Banking page. We have represented the analysis of one such case, as shown in figure 9. 

Figure 9 AFFIN Online Internet Banking Page Mimicked by the Malicious Application 

On further analysis, we observed that the TAs have hosted the Bank’s Internet Banking pages on their Infrastructure server: hxxps://www.csapks[.]online/app_abc771_2sfacslfffcs2/fpx_888a/AFF/AFF.php , as shown in the below figure

Figure 10 Internet Banking Page Hosted on TA C&C Server 

During traffic analysis, we observed that the malware steals the victim’s internet banking credentials and uploads them to the TA infrastructure, as shown below. 

​ Figure 11 Malware Stealing Internet Banking Credentials 

Other Observations 

On further analysis, we identified that the TAs have hosted a similar website also on their C&C server URL: hxxps://www.csapks[.]online/app_abc771_2sfacslfffcs2/cleaningservicemalaysia_888a/core/main.php., as shown in Figure 12.  

Figure 12 Similar Website Hosted on TA C&C Server 

On the TA website, we found that the social media accounts are mentioned as their contact medium, as shown below.   

Figure 13 Social Media Accounts Mentioned on TA Website 

Interestingly, the analysis of the social media accounts showed that the social media account details provided on the website belong to a legitimate company known as BALABUSTA BROOKLYNas shown in Figure 14. 

Figure 14 Social Media Account Mentioned by the TA on their Website 

The snippet below represents the Instagram account mentioned on the TA’s website. This account seems to be newly created with very few posts and followers. We suspect that the same account is used by the TAs for malicious activities. 

Figure 15 Account Mentioned on TA Website 

On further analysis, we reached a legitimate website that has a similar UI and services with a similar name as Cleaning Service For All. Thus, we suspected that the malware is designed to mimic the legitimate website to trick users into stealing their sensitive data. 

Figure 16 Legitimate Website that the Malicious App mimics 

Conclusion  

Banking Trojans are created to target users of banking services to steal financial information such as SMSes and Net banking credentials, etc. 

TA constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to deceive users into installing them. 

Users should install applications only after verifying their authenticity, besides ensuring that applications are installed from the registered Play Stores to avoid such cyberattacks. 

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection? 

  • Download and install software only from official app stores like Google Play Store & Apple App Store. 
  • Use a reputed Anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable device security features such as fingerprint or password for unlocking the mobile device. 
  • Be wary of opening any links present in SMSs or Emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated to the latest versions. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi Data usage of applications installed in mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile Data and remove SIM Card as in some cases the malware can re-enable the Mobile Data 
  • Perform Factory Reset 
  • Remove the application, in case factory reset is not possible 
  • Take a backup of personal media Files (Exclude Mobile Applications) and perform Reset 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank 

What banks should do to protect customers? 

  • Banks and other financial entities should educate customers on safeguarding from malware attacks using modes such as telephone, SMSes, or emails. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1476 Deliver Malicious App via Other Means 
Execution T1575 Native Code 
Persistence T1402  Broadcast Receivers 
Credential Access T1552 Unsecured Credentials 
Collection T1412 Capture SMS Messages 
Exfiltration T1567 Exfiltration Over Web Service 
Impact T1400 Modify System Partition 

Indicators of Compromise (IOCs)   

Indicators Indicator type Description 
7845bb247dbfad94018047afbb2f5e1d9e54752b620d995033c695d9a2d104a0 SHA256 Malicious APK 
hxxps://www.csapks[.]online/ URL TA Portal 
hxxps://redlabapi[.]online/api_spa24125/api_espanol/api.php?sid=1295c8887ec39859&sms=hey,%20how%20are%20you URL TA C&C 
Scroll to Top