Cyble-blogs-Android-Spyware

Fabricated Bank website distributes Android Spyware

imToken’s increasing popularity exploited by Threat Actors

Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute malware and steal victims’ information. Recently, CRIL identified a phishing site hxxp://imt[.]tronlink.golf that displays a fabricated Bank called “IMTBANK”.

The Threat Actor (TA) has used this bank name in the phishing page that references imToken. imToken is an extremely popular digital crypto and Bitcoin wallet having over 12 million users in more than 150 countries.

Figure 1 – Phishing site pretending to be a bank

The phishing site uses the icon of imToken to look genuine and lures the victim into downloading the malicious app to know the loan eligibility provided by a bank. When a user clicks on the DOWNLOAD button, the phishing sites download an APK file “IMTBANK.apk”. After conducting an in-depth analysis, we confirmed that the malicious app is a variant of SpyMax.

TAs typically prefer to steal the seed phrase of crypto-currency wallets, similar to the campaign we have explained in our analysis of Metamask. In this case, TA is leveraging the popularity of imToken, and delivering a Remote Access Trojan (RAT) to steal the information using a fake loan app.

The Threat Actor (TA) has provided some instructions to users as an activity introduction. The instruction includes downloading the imToken wallet app, logging into the app, depositing the amount, and insisting users sign in daily to receive the rewards.

The TA has also provided the genuine imToken link on the phishing website under the “Quick loan” section, as shown in the below image.

Figure 2 – The phishing site mentioned the official website link

The phishing site has an “Invite Friends” activity where the TA has mentioned another similar phishing domain t.tronlink[.]golf, for spreading the malware. This domain has the same UI and downloads the same APK file.

Figure 3 – Invite friends’ activity on phishing site

In this blog post, we discuss our detailed analysis of fabricated banking loan applications targeting imToken users.

Technical Analysis

APK Metadata Information

  • App Name: IMTYBANK
  • Package Name: com.resources.installations
  • SHA256 Hash: 97884c2b74ccffebdc91a439c4316c3215d0eb571a17820ce7da77355f21878c

Figure 4 shows the metadata information of the application.  

Figure 4 – App Metadata Information 

Manifest Description

The malicious application mentions 26 permissions in the manifest file, out of which the TA exploits 11. The harmful permissions requested by the malware are:  

Permission  Description 
READ_CONTACTSAccess phone contacts
READ_CALL_LOGAccess phone call logs
READ_SMSAccess phone messages
CAMERARequired to access the camera device.
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
RECORD_AUDIOAllows the app to record audio with the microphone, which the attackers can misuse
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call
ACCESS_FINE_LOCATIONAllows an app to access precise location
SYSTEM_ALERT_WINDOWAllows an app to create windows on top of all other apps
REQUEST_INSTALL_PACKAGESAllows an application to request installing packages.

Source Code Review 

Upon installation, the malware prompts the victim to turn on Accessibility Service. As soon as the victim grants permission, the malware abuses the Accessibility service to prevent uninstallation and perform auto-gestures.

Figure 5 – Accessibility service

The malware then connects to the phishing URL hxxp://tt.tronlink[.]golf:32768/index.html and loads the fabricated IMTBank website, similar to the phishing website shown in Figure 1.

The phishing site is then loaded on infected Android devices, displays two buttons, “LOGIN” and “SIGN IN.”  When a user clicks on the “LOGIN” button, the malware opens the login page where the user can enter a username and password to login into the app. If the user is not registered already, the login will fail. The user can register into the app by providing a username, password, and wallet address, as shown in the image below.

Figure 6 – Login and registration page of phishing URL

When a user clicks on the “Apply” button, the malicious app prompts the user to enter a few basic details as a part of the loan application. It displays an application message in review after entering the details, as shown in the image below.

Figure 7 – Prompting basic information to apply for a loan

While the malware asks for the above loan application details, it is actually stealing the victim’s information in the background. The malware at work here is the SpyMax variant. SpyMax is a commercial spyware family with all the capabilities of Spying and allows TA to gather victims’ sensitive information.

SpyMax has been used in various campaigns as a spying tool in the past, and recently it has been distributed via fake websites.

The malware connects to the Command and Control (C&C) server and receives various commands to execute operations, as shown in the below image.

Figure 8 – Malware receives commands from the C&C server

The code shown in the below image is capable of capturing the screenshots of the infected device and further sends all screenshots to the C&C server.

Figure 9 – Malware taking screenshots of an infected device

The malware abuses the Accessibility service not just to prevent uninstallation but also to steal sensitive data from an infected device. The code shown in the image below is used to fetch the 2FA code from the Google Authenticator app by abusing the Accessibility service and sending the stolen code to the C&C server.

Figure 10 – Malware Stealing 2FA codes

The malware also steals the victim’s location using LocationManager[RS1]  APIs and sends them to the C&C server.

Figure 11 – Collecting the victim’s location

Conclusion

SpyMax is a well-known spying tool that has actively been used in various campaigns to steal victims’ information. Our research indicates that the TA used the loan app lure by leveraging imToken popularity to attract the victim into downloading SpyMax malware and stealing sensitive information.

Cyble Research & Intelligence Labs continuously monitors ongoing malicious attacks and updates our readers with the latest findings to be protected from such malicious threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection?

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
CollectionT1512Capture Camera
PersistenceT1402Broadcast Receivers
CollectionT1513Screen Capture
CollectionT1533Data from Local System
ExfiltrationT1437Standard Application Layer Protocol
CollectionT1436Commonly used port
Input captureT1417Input capture

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
97884c2b74ccffebdc91a439c4316c3215d0eb571a17820ce7da77355f21878cSHA256Hash of the analyzed APK file
5b5ea9ab9b2bcb82f2762e5b8f589a2cd92ae264SHA1Hash of the analyzed APK file 
d512359a8a11d6678e7d1be37a7fec5fMD5Hash of the analyzed APK file
hxxp://154.211.96[.]78:8088URLC&C server
hxxp://tt[.]tronlink.golf:32768/index.htmlURLPhishing website present in Android App
hxxp://imt[.]tronlink.golf/URLMalware distribution site
hxxp://t[.]tronlink.golf/URLMalware distribution site
Scroll to Top