Trojans pose a serious threat to Android devices as they are difficult to identify as they perform malicious activities behind the garb of legitimate features. This blog focuses on one such malicious Android application that pretends to be a cleaning service in Malaysia to target users through SMS stealing and stealing bank credentials. This application appears to be mimicking the official website of cleaningservicemalaysia[.]com by creating a fake website and Android application to trick unsuspecting users into stealing their SMS data and Net banking credentials.
Cyble Research Labs came across a Twitter post, wherein researchers mentioned this Android malware. This malicious app has the name Cleaning Service Malaysia. On further analysis, we observed the Threat Actors (TAs) behind this also have a website hosted on hxxps://www.csapks.online/app_abc771_2sfacslfffcs2/cleaningservicemalaysia_888a/core/main[.]php.
Once the execution of this malware is successful, it can steal sensitive data such as SMS data and Net Banking credentials of Malaysian banks.
Technical Analysis
APK Metadata Information
- App Name: Cleaning Service Malaysia
- Package Name: com.company.gamename
- SHA256 Hash: 7845bb247dbfad94018047afbb2f5e1d9e54752b620d995033c695d9a2d104a0
Figure 1 shows the metadata information of the application.
Figure 2 shows the application icon and name.
Manifest Description
The malware requests twenty-four different permissions, out of which few are declared multiple times. Out of these permissions, attackers can abuse one permission in particular, the RECEIVE_SMS permission.
We have listed the dangerous permissions below.
| Permissions | Description |
| RECEIVE_SMS | Allows the app to receive and process SMS messages. |
Table 1: Permission Abused by the Malware
Figure 3 shows the launcher activity of the malware.
Source Code Description
The code snippet shown in Figure 4 shows how the malware receives the incoming messages and uploads them to the Command and Control (C&C) server.
Figure 5 shows the traffic analysis of the malware where it sends incoming messages to the C&C server: hxxps://redlabapi[.]online/api_spa24125/api_espanol/api.php?sid=1295c8887ec39859&sms=hey,%20how%20are%20you.
Phishing Activities
Once users schedule the cleaning service through this malicious application, the application requests for the user’s details such as name, phone number, and address, and sends the collected data to the C&C server as plain text, as shown in figure 6 and 7.
Once users enter the details, the malware requests them to complete the payment process for the cleaning service. We observed that to complete the transaction, the malware has listed multiple Malaysian banks’ Internet Banking options, as shown in the below figure.
Once users continue with the payment process by choosing a bank’s Internet Banking service, the malware loads a page designed to look like the bank’s legitimate Internet Banking page. We have represented the analysis of one such case, as shown in figure 9.
On further analysis, we observed that the TAs have hosted the Bank’s Internet Banking pages on their Infrastructure server: hxxps://www.csapks[.]online/app_abc771_2sfacslfffcs2/fpx_888a/AFF/AFF.php , as shown in the below figure.
During traffic analysis, we observed that the malware steals the victim’s internet banking credentials and uploads them to the TA infrastructure, as shown below.
Other Observations
On further analysis, we identified that the TAs have hosted a similar website also on their C&C server URL: hxxps://www.csapks[.]online/app_abc771_2sfacslfffcs2/cleaningservicemalaysia_888a/core/main.php., as shown in Figure 12.
On the TA website, we found that the social media accounts are mentioned as their contact medium, as shown below.
Interestingly, the analysis of the social media accounts showed that the social media account details provided on the website belong to a legitimate company known as BALABUSTA BROOKLYNas shown in Figure 14.
The snippet below represents the Instagram account mentioned on the TA’s website. This account seems to be newly created with very few posts and followers. We suspect that the same account is used by the TAs for malicious activities.
On further analysis, we reached a legitimate website that has a similar UI and services with a similar name as Cleaning Service For All. Thus, we suspected that the malware is designed to mimic the legitimate website to trick users into stealing their sensitive data.
Conclusion
Banking Trojans are created to target users of banking services to steal financial information such as SMSes and Net banking credentials, etc.
TA constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to deceive users into installing them.
Users should install applications only after verifying their authenticity, besides ensuring that applications are installed from the registered Play Stores to avoid such cyberattacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store & Apple App Store.
- Use a reputed Anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable device security features such as fingerprint or password for unlocking the mobile device.
- Be wary of opening any links present in SMSs or Emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated to the latest versions.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi Data usage of applications installed in mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile Data and remove SIM Card as in some cases the malware can re-enable the Mobile Data
- Perform Factory Reset
- Remove the application, in case factory reset is not possible
- Take a backup of personal media Files (Exclude Mobile Applications) and perform Reset
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank
What banks should do to protect customers?
- Banks and other financial entities should educate customers on safeguarding from malware attacks using modes such as telephone, SMSes, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Means |
| Execution | T1575 | Native Code |
| Persistence | T1402 | Broadcast Receivers |
| Credential Access | T1552 | Unsecured Credentials |
| Collection | T1412 | Capture SMS Messages |
| Exfiltration | T1567 | Exfiltration Over Web Service |
| Impact | T1400 | Modify System Partition |
Indicators of Compromise (IOCs)
| Indicators | Indicator type | Description |
| 7845bb247dbfad94018047afbb2f5e1d9e54752b620d995033c695d9a2d104a0 | SHA256 | Malicious APK |
| hxxps://www.csapks[.]online/ | URL | TA Portal |
| hxxps://redlabapi[.]online/api_spa24125/api_espanol/api.php?sid=1295c8887ec39859&sms=hey,%20how%20are%20you | URL | TA C&C |
