Cyble-Rise-In-Incidence-Fake-Eshop-Scams-Android-Phishing-Malware-Vietnam-Banks

The Rise in Incidence of Fake e-shop Scams

Threat Actor Expanding Arsenal By Targeting Vietnam-based Bank

At the end of 2021, Cyble Research and Intelligence Labs (CRIL) identified an Android Banking Trojan pretending to be a cleaning service app and targeting Malaysian Banks through a fake e-shop campaign.

The fake e-shop campaign started in Malaysia, wherein the Threat Actor (TA) was found using the Facebook ads service and impersonating the Facebook page of a famous cleaning service agency. Once unsuspecting victims visited this Facebook page and communicated with the TA, they were tricked into downloading the malicious app from the phishing link shared by the TA.

Initially, the TA skillfully employed the trope of cleaning services and pet stores to lure victims into downloading the malicious app. From May 2022, we observed TAs leveraging campaigns designed around travel agencies, E-commerce platforms, shopping marts, and car rental agencies among others, to distribute malware, as shown in the figure below.

Figure 1 – Campaign themes used by TA

On June 2, Maybank – Malaysia’s largest financial services group, issued a public warning against fraud campaigns, highlighting security practices mentioned in a MyCERT security advisory, cautioning their consumers against downloading apps from unknown sources.

Figure 2 – Maybank’s awareness post about the fake e-shop campaign

Despite such public warnings issued by several Malaysian banks and MyCERT, we have observed various instances wherein unsuspecting victims have fallen prey to scams and incurred substantial financial losses.  

We came across a similar scam incident in August 2022, wherein the TA created a Facebook page called “Premium TV Channel”, offering low-cost packages to victims related to IPTV subscriptions. If the victim contacts the advertiser on WhatsApp, the TA tricks the victim into downloading the malicious application “EEPAD(Eng).3.1.apk” and making a payment for the subscription service.

The figure below shows the WhatsApp conversation with the TA and a screenshot of one such fraudulent transaction.

Figure 3 – IPTV subscription scam (Facebook Post)

On analyzing the APK file, the malware was found targeting 10 Malaysian banks for stealing credentials of several banking accounts to perform fraudulent transactions. These banks include Hong Leong Bank, CIMB Bank, Maybank, AmBank, Public Bank, RHB Bank, OCBC Bank, Bank Rakhyat, Bank Islam, Bank Simpanan Nasional (BSN), and Agrobank.

Figure 4 – Malware stealing net banking credentials and credit card details

The malware collects the Net banking credentials, Credit Card details, and incoming SMSes to bypass 2FA credentials and sends them to the Command and Control (C&C) Server “hxxps://superstore88[.]xyz/WTAppTv/”.

In the same month, we observed another scam wherein the TA created a Facebook page impersonating the genuine cleaning service of Malaysia “KleanHouz House Cleaning”. The infection chain starts once the victim reaches out via the WhatsApp number provided by the TA for further communication with the victim.

Figure 5 – Fake and Genuine Kleanhouz Page

When the victim sends the WhatsApp message to the number provided on the fake Facebook page, the TA sends the phishing link to prompt the victim into downloading the malware and starting the payment process, as shown in the image below.

Figure 6 – WhatsApp conversation with the victim to download the app

The genuine “KleanHouz Home Cleaning” service also warned its customers against this ongoing scam. In one of their warning posts, the KleanHouz team mentioned that TAs are using a fake business certificate to convince the victim into downloading the malicious app.

Figure 7 – Warning Post by Genuine KleanHouz Home Cleaning Service

CRIL is constantly monitoring the activity of fake e-shop campaigns and has identified more than 70 phishing sites that are distributing Android Malware since April. Most of them are typosqautted domains impersonating the same entity.

Our statistics revealed a sudden rise in the number of attacks by this campaign in August 2022.

Figure 8 – Fake e-shop scam statistics (Based on the number of phishing domains seen)

Vietnam: A New Target of Fake e-shop scam

Recently, CRIL observed a new phishing site “hxxps://bestpay-vn[.]store” pretending to be a payment application website and distributing Android Malware targeting HD Bank from Vietnam.

Figure 9 – Phishing site pretending to be a payment application site

We believe that the TA might have distributed this phishing site through WhatsApp messages or SMSes similar to the campaign explained above. Once the user clicks on the Google Play button, the site downloads the APK file “bestpayVN.apk”. The detailed behavior of this app is explained in the Technical Analysis section.

Technical Analysis

APK Metadata Information   

  • App Name: BestPay
  • Package Name: com.app.ebayarz
  • SHA256 Hash: b344e13fc9840d1c3dcd14778777f8f28b1b56e633989e0649761eddfbf9798a

 Figure 10 shows the metadata information of the application.  

Figure 10 – App Metadata Information 

Manifest Description 

The harmful permissions requested by the malware are:  

Permission  Description 
RECEIVE_SMSAllows an application to receive SMS messages
READ_SMSAccess phone messages
SEND_SMSAllows the application to send SMS messages

Source Code Review  

The malware pretends to be a legitimate mobile payment application and provides fake functionalities such as phone bill payment, electric bill payment, insurance, internet bill payment, VN shop, loan payment, and cable TV bill payment, as shown in the image below.

Figure 11 – Fake functionalities provided by the malware

When the user tries to make a payment, the malware displays a screen with the bank name and the bill amount. Once the victim proceeds with the payment, the malware redirects him to a fake net banking URL hxxps://ebanking[.]hdbank.vn. This variant under our analysis was seen targeting only one bank from Vietnam as of now – HDBank.

Figure 12 – Malware redirecting the victim to a fake HDBank net banking site

The TA has attempted to duplicate the UI of the genuine HDbank website to trick unsuspecting users. The figure below showcases the genuine and fake HDBank net banking websites.

Figure 13 – Genuine HDBank net banking website
Figure 14 – Fake HDbank net banking website

The malware has the SMS receiver class MyReciever which is used to collect the incoming SMSes from the victim’s device and send them to the C&C server hxxps://sgbx[.]online. The stolen SMSes are used to fetch OTPs for bypassing the Two-Factor Authentication (2FA) while making fraudulent transactions.

Figure 15 – Malware stealing incoming SMSes from an infected device

As the same C&C server has been found in other malicious applications related to the same campaign, we believe that this malware variant is associated with the same cybercriminal.

The malicious application appears to still be under development as the malware has the SendSmsActivity and SmsSendService classes with no implemented code. This functionality can be implemented by the TA in the future to send spam SMSes from the victim’s device to further spread malware.

Conclusion 

The Fake e-shop campaign started at end of 2021 and is still actively targeting Malaysian citizens. According to our research, the TA is focusing on expanding its targets and infecting more users. The scam is seen targeting a Vietnam bank as of now but in the future, there is a possibility of the TA targeting more Vietnam Banks and slowly expanding the campaign to other countries.

Users are advised to exercise caution while making financial transactions, follow cyber awareness programs to stay abreast of news of such campaigns, and avoid installing applications from unknown sources.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection? 

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers? 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
PersistenceT1402Broadcast Receivers
CollectionT1412Capture SMS Messages
Credential AccessT1411Input Prompt
ExfiltrationT1567Exfiltration Over Web Service

Indicators of Compromise (IoCs) 

IndicatorsIndicator TypeDescription
b344e13fc9840d1c3dcd14778777f8f28b1b56e633989e0649761eddfbf9798aSHA256Hash of the analyzed APK file
cbaabe04312cdffe7529deb209c97231b36af7dcSHA1Hash of the analyzed APK file 
b91d45e2b33d0446d814bc86d1477d28MD5Hash of the analyzed APK file
hxxps://sgbx[.]onlineURLC&C server
hxxps://bestpay-vn[.]store/SHA1Malware Distribution Malware
b003f25170be4f015fb01026b42046c6800bbb6d0548140ae2aa78b5bdb769b0SHA256Hash of the analyzed APK file
63ee2db3c916812b86616f09c13901046a586232SHA1Hash of the analyzed APK file
2c428b6e60950590b18f6c761e144423MD5Hash of the analyzed APK file 
hxxps://superstore88[.]xyzURLC&C server
hxxps://kaksiti-clean[.]storeURLMalware Distribution Phishing Site
hxxps://qnmholidays[.]storeURLMalware Distribution Phishing Site
hxxps://agencysmy[.]storeURLMalware Distribution Phishing Site
hxxps://44speed-mart[.]comURLMalware Distribution Phishing Site
hxxps://kuisland-travelz[.]storeURLMalware Distribution Phishing Site
hxxps://bestpay-vn[.]storeURLMalware Distribution Phishing Site
hxxp://goomart[.]netURLMalware Distribution Phishing Site
hxxp://coco-cat[.]infoURLMalware Distribution Phishing Site
hxxps://suria-fruit[.]comURLMalware Distribution Phishing Site
hxxps://mycleanon[.]storeURLMalware Distribution Phishing Site
hxxps://mycleanson[.]storeURLMalware Distribution Phishing Site
hxxps://mycleanzon[.]storeURLMalware Distribution Phishing Site
hxxps://cleanzon-my[.]storeURLMalware Distribution Phishing Site
hxxp://go-mart[.]infoURLMalware Distribution Phishing Site
hxxps://kleannhouse[.]siteURLMalware Distribution Phishing Site
hxxps://kleannhouz[.]siteURLMalware Distribution Phishing Site
hxxps://kleannhouse[.]storeURLMalware Distribution Phishing Site
hxxps://kleannhouz[.]storeURLMalware Distribution Phishing Site
hxxps://cleanzons[.]onlineURLMalware Distribution Phishing Site
hxxps://carzman[.]siteURLMalware Distribution Phishing Site
hxxp://cleaningz-on[.]storeURLMalware Distribution Phishing Site
hxxps://kleanzhouz[.]storeURLMalware Distribution Phishing Site
hxxps://kleanhouse[.]storeURLMalware Distribution Phishing Site
hxxps://kuzislandtravel[.]storeURLMalware Distribution Phishing Site
hxxps://clean-ons[.]storeURLMalware Distribution Phishing Site
hxxps://carz-man[.]siteURLMalware Distribution Phishing Site
hxxps://gomart[.]infoURLMalware Distribution Phishing Site
hxxps://proz-cleaning[.]onlineURLMalware Distribution Phishing Site
hxxps://cleanzonz[.]onlineURLMalware Distribution Phishing Site
hxxp://kleanhouz[.]onlineURLMalware Distribution Phishing Site
hxxps://yourmaidsagency[.]storeURLMalware Distribution Phishing Site
hxxps://kleanshouz[.]storeURLMalware Distribution Phishing Site
hxxps://eibayar[.]storeURLMalware Distribution Phishing Site
hxxps://prozclean[.]storeURLMalware Distribution Phishing Site
hxxps://prozcleaning[.]storeURLMalware Distribution Phishing Site
hxxps://cleaneron[.]storeURLMalware Distribution Phishing Site
hxxp://proscleaning[.]storeURLMalware Distribution Phishing Site
hxxps://cleaner-on[.]storeURLMalware Distribution Phishing Site
hxxps://tripvoucherzcart[.]storeURLMalware Distribution Phishing Site
hxxps://pro-cleaning[.]storeURLMalware Distribution Phishing Site
hxxps://familycleaningz4u[.]storeURLMalware Distribution Phishing Site
hxxps://sunshinecars[.]storeURLMalware Distribution Phishing Site
hxxps://maxs-cleanings[.]storeURLMalware Distribution Phishing Site
hxxps://max-cleanings[.]storeURLMalware Distribution Phishing Site
hxxp://maxs-cleaning[.]storeURLMalware Distribution Phishing Site
hxxps://tripvouchers[.]storeURLMalware Distribution Phishing Site
hxxps://procleanings[.]storeURLMalware Distribution Phishing Site
hxxps://yourmaidagency[.]storeURLMalware Distribution Phishing Site
hxxps://winewarehouse-my[.]storeURLMalware Distribution Phishing Site
hxxps://winewarehouses[.]storeURLMalware Distribution Phishing Site
hxxps://kuislandtravels[.]onlineURLMalware Distribution Phishing Site
hxxps://familyclean4you[.]onlineURLMalware Distribution Phishing Site
hxxps://homecleaning[.]storeURLMalware Distribution Phishing Site
hxxps://mariecleaning[.]storeURLMalware Distribution Phishing Site
hxxps://tripvouchercart[.]storeURLMalware Distribution Phishing Site
hxxp://kuislandtravel[.]storeURLMalware Distribution Phishing Site
hxxps://wine4u-warehouse[.]onlineURLMalware Distribution Phishing Site
hxxps://midcleaning-my[.]siteURLMalware Distribution Phishing Site
hxxps://mariecleaningmy[.]siteURLMalware Distribution Phishing Site
hxxps://yourmaid-my[.]onlineURLMalware Distribution Phishing Site
hxxps://n-warehouse[.]onlineURLMalware Distribution Phishing Site
hxxps://midszcleaning[.]onlineURLMalware Distribution Phishing Site
hxxps://midscleaningz[.]onlineURLMalware Distribution Phishing Site
hxxps://homezcleanings[.]siteURLMalware Distribution Phishing Site
hxxps://youmaidz[.]onlineURLMalware Distribution Phishing Site
hxxps://yourzmaid-my[.]onlineURLMalware Distribution Phishing Site
hxxps://yourmaidzs[.]siteURLMalware Distribution Phishing Site
hxxps://yourmaidz[.]siteURLMalware Distribution Phishing Site
hxxps://yourmaidz[.]onlineURLMalware Distribution Phishing Site
hxxps://midcleaningz[.]onlineURLMalware Distribution Phishing Site
hxxps://midcleaningzs[.]onlineURLMalware Distribution Phishing Site
hxxps://homezcleaningz[.]onlineURLMalware Distribution Phishing Site
hxxps://homezcleanings[.]onlineURLMalware Distribution Phishing Site
Scroll to Top