imToken’s increasing popularity exploited by Threat Actors
Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute malware and steal victims’ information. Recently, CRIL identified a phishing site hxxp://imt[.]tronlink.golf that displays a fabricated Bank called “IMTBANK”.
The Threat Actor (TA) has used this bank name in the phishing page that references imToken. imToken is an extremely popular digital crypto and Bitcoin wallet having over 12 million users in more than 150 countries.
The phishing site uses the icon of imToken to look genuine and lures the victim into downloading the malicious app to know the loan eligibility provided by a bank. When a user clicks on the DOWNLOAD button, the phishing sites download an APK file “IMTBANK.apk”. After conducting an in-depth analysis, we confirmed that the malicious app is a variant of SpyMax.
TAs typically prefer to steal the seed phrase of crypto-currency wallets, similar to the campaign we have explained in our analysis of Metamask. In this case, TA is leveraging the popularity of imToken, and delivering a Remote Access Trojan (RAT) to steal the information using a fake loan app.
The Threat Actor (TA) has provided some instructions to users as an activity introduction. The instruction includes downloading the imToken wallet app, logging into the app, depositing the amount, and insisting users sign in daily to receive the rewards.
The TA has also provided the genuine imToken link on the phishing website under the “Quick loan” section, as shown in the below image.
The phishing site has an “Invite Friends” activity where the TA has mentioned another similar phishing domain t.tronlink[.]golf, for spreading the malware. This domain has the same UI and downloads the same APK file.
In this blog post, we discuss our detailed analysis of fabricated banking loan applications targeting imToken users.
Technical Analysis
APK Metadata Information
- App Name: IMTYBANK
- Package Name: com.resources.installations
- SHA256 Hash: 97884c2b74ccffebdc91a439c4316c3215d0eb571a17820ce7da77355f21878c
Figure 4 shows the metadata information of the application.
Manifest Description
The malicious application mentions 26 permissions in the manifest file, out of which the TA exploits 11. The harmful permissions requested by the malware are:
| Permission | Description |
| READ_CONTACTS | Access phone contacts |
| READ_CALL_LOG | Access phone call logs |
| READ_SMS | Access phone messages |
| CAMERA | Required to access the camera device. |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which the attackers can misuse |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call |
| ACCESS_FINE_LOCATION | Allows an app to access precise location |
| SYSTEM_ALERT_WINDOW | Allows an app to create windows on top of all other apps |
| REQUEST_INSTALL_PACKAGES | Allows an application to request installing packages. |
Source Code Review
Upon installation, the malware prompts the victim to turn on Accessibility Service. As soon as the victim grants permission, the malware abuses the Accessibility service to prevent uninstallation and perform auto-gestures.
The malware then connects to the phishing URL hxxp://tt.tronlink[.]golf:32768/index.html and loads the fabricated IMTBank website, similar to the phishing website shown in Figure 1.
The phishing site is then loaded on infected Android devices, displays two buttons, “LOGIN” and “SIGN IN.” When a user clicks on the “LOGIN” button, the malware opens the login page where the user can enter a username and password to login into the app. If the user is not registered already, the login will fail. The user can register into the app by providing a username, password, and wallet address, as shown in the image below.
When a user clicks on the “Apply” button, the malicious app prompts the user to enter a few basic details as a part of the loan application. It displays an application message in review after entering the details, as shown in the image below.
While the malware asks for the above loan application details, it is actually stealing the victim’s information in the background. The malware at work here is the SpyMax variant. SpyMax is a commercial spyware family with all the capabilities of Spying and allows TA to gather victims’ sensitive information.
SpyMax has been used in various campaigns as a spying tool in the past, and recently it has been distributed via fake websites.
The malware connects to the Command and Control (C&C) server and receives various commands to execute operations, as shown in the below image.
The code shown in the below image is capable of capturing the screenshots of the infected device and further sends all screenshots to the C&C server.
The malware abuses the Accessibility service not just to prevent uninstallation but also to steal sensitive data from an infected device. The code shown in the image below is used to fetch the 2FA code from the Google Authenticator app by abusing the Accessibility service and sending the stolen code to the C&C server.
The malware also steals the victim’s location using LocationManager[RS1] APIs and sends them to the C&C server.
Conclusion
SpyMax is a well-known spying tool that has actively been used in various campaigns to steal victims’ information. Our research indicates that the TA used the loan app lure by leveraging imToken popularity to attract the victim into downloading SpyMax malware and stealing sensitive information.
Cyble Research & Intelligence Labs continuously monitors ongoing malicious attacks and updates our readers with the latest findings to be protected from such malicious threats.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Collection | T1512 | Capture Camera |
| Persistence | T1402 | Broadcast Receivers |
| Collection | T1513 | Screen Capture |
| Collection | T1533 | Data from Local System |
| Exfiltration | T1437 | Standard Application Layer Protocol |
| Collection | T1436 | Commonly used port |
| Input capture | T1417 | Input capture |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 97884c2b74ccffebdc91a439c4316c3215d0eb571a17820ce7da77355f21878c | SHA256 | Hash of the analyzed APK file |
| 5b5ea9ab9b2bcb82f2762e5b8f589a2cd92ae264 | SHA1 | Hash of the analyzed APK file |
| d512359a8a11d6678e7d1be37a7fec5f | MD5 | Hash of the analyzed APK file |
| hxxp://154.211.96[.]78:8088 | URL | C&C server |
| hxxp://tt[.]tronlink.golf:32768/index.html | URL | Phishing website present in Android App |
| hxxp://imt[.]tronlink.golf/ | URL | Malware distribution site |
| hxxp://t[.]tronlink.golf/ | URL | Malware distribution site |
