Threat Actor leveraging SMSeye stealer to Bypass 2FA
Online banking is convenient as it allows users to make money transfers, bill payments, verify their balance, and access accounts 24/7 at their fingertips. Like regular online banking customers, cybercriminals also benefit from online banking by committing financial fraud using various scams.
Scammers come with different sophisticated social engineering techniques, targeting online banking users to steal banking credentials. Phishing is one of the techniques mostly used by attackers to target their victims.
However, phishing attack alone is not sufficient to perform fraudulent transactions, as banks have implemented Two-Factor Authentication (2FA) to prevent unauthenticated login and money transfer. Threat Actors (TAs) have come one step ahead and started stealing OTP (One-Time Password) to bypass 2FA.
Recently, Cyble Research and Intelligence Labs identified a similar phishing campaign targeting Bank Rakyat Indonesia (BRI) – An Indonesian bank. Threat Actors behind this campaign started with a phishing attack and later shifted the focus to automate OTP fetching from an infected device using Android malware.
The identified phishing sites mimic the BRI bank and lure victims into submitting banking credentials by offering a low tariff rate on each transaction. Below are a few malicious sites that only use phishing attacks to harvest credentials and OTPs.
- hxxps://formullir-tarlf[.]com/NAS_BRI_TARIF_UPDATE9999
- hxxps://britarif[.]ftml.my.id
- hxxps://layanan[.]sch.id
- hxxps://perubahan.tarif-layananbri[.]my.id
Along with the above phishing sites, we have identified 8 additional phishing sites related to the same campaign, downloading SMS Stealer Android malware to steal the OTP from the victim’s device.
- hxxps://skematrf-login[.]apk-ind.com
- hxxps://brimo-login-id.apk-ind[.]com
- hxxps://brimo-login-ind.apk-online[.]com
- hxxps://login-bri-ib[.]apk-ind.com
- hxxps://id-bri-login[.]apk-online.com
- hxxps://id-login-brimo[.]apk-ind.com
- hxxps://id-login-brimo[.]apk-online.com
- hxxps://login-brimo-tarif[.]com
All these malicious sites use the same phishing technique to harvest credentials. Initially, the malicious site asks the user to choose the tariff option, login credentials, and 6-digit net banking PIN but does not prompt the user for OTP, as shown in the figure below.
After submitting the login credentials and PIN, the phishing site prompts the victim to download and install the APK file to continue the process. Once the victim clicks on the “Download” button, the malicious site downloads the SMS stealer APK as shown in the below figure.
Upon further investigation, we discovered that the phishing sites downloaded two different APK files to steal OTP. The TA has created a custom SMS stealer as well using SMSeye – an open-source android malware to steal OTP. The detailed analysis of both SMS stealers is explained in the Technical Analysis section below.
Technical Analysis Of Custom SMS Stealer
APK Metadata Information
- App Name: Brimo
- Package Name: com.ngscript.smstest
- SHA256 Hash: 75b0d191544f1e96f9bdec94df3556aa7db1808f0f2e194f6a882154857d0384
The below figure shows the metadata information of the application.
The malware uses the icon of the BRI mobile banking application to appear genuine and lure the victim into believing that the downloaded application from a malicious site is harmless.
Manifest Description
The harmful permissions requested by the malware are:
| Permission | Description |
| RECEIVE_SMS | Allows an application to receive SMS messages |
Source Code Review
The custom SMS stealer is distributed via hxxps://id-bri-login[.]apk-online.com/download[.]php, a phishing site.
Upon installation, the malicious application prompts the victim to grant SMS permission and later loads a genuine BRI site into a WebView as shown in the below image.
Simultaneously, in the background malware collects basic device information such as device name, model number, etc, and sends them to the Command and Control (C&C) server.
Malware has registered a SMSReceiver in the Manifest file. Whenever an infected device receives an SMS, the malware collects the incoming SMSs and sends them to the C&C server hxxps://ionicio[.]com.
Interestingly, the same C&C server has been observed in a campaign identified by Reversing Labs that installs malicious NPM modules to harvest sensitive data from forms embedded in mobile applications and websites. This indicates that TA does not only rely on phishing attacks but also focuses on a different platform for other malicious activities.
Technical Analysis Of SMSeye Malware
APK Metadata Information
- App Name: BRImo
- Package Name: abyssalarmy.smseye
- SHA256 Hash: a19429c1ef1184a59d9b9319947070239a50ad55a04edc1104adb2a6ae4803cb
The below Figure shows the metadata information of the application.
Manifest Description
The harmful permissions requested by the malware are:
| Permission | Description |
| RECEIVE_SMS | Allows an application to receive SMS messages |
Source Code Review
The malicious application is downloaded via hxxps://skematrf-login[.]apk-ind.com/download.php phishing site. Like the custom SMS stealer, this malicious Android file also uses BRI bank’s logo to appear genuine and loads the genuine site into a WebView.
The malware has registered the “SmsEyeSmsListener” receiver in the manifest file. This receiver will receive the incoming SMS from an infected device and sends them to the TA’s Telegram bot.
Looking at the package name and references of Kotlin files present in the code, we were able to find the open-source project “Sms Eye” available on GitHub. The TA has followed all the steps mentioned on the GitHub page and updated the bot number and main loading URL in the files present in the assets folder.
The “Sms Eye” project is created recently on October 14, 2022, to spy on incoming SMSs of an infected device and forward them to the Telegram bot. Although Spyware has only SMS stealing functionality but using it with sophisticated phishing techniques, TA can perform fraudulent transactions.
Conclusion
CRIL continuously monitors various phishing campaigns that distribute Android malware. Such campaigns usually start with sophisticated phishing attacks and later they evolved into using various malware for stealing sensitive information.
According to our research, TA was using phishing techniques alone to harvest credentials and later started distributing SMS stealers to steal OTPs from an infected which will be used to bypass 2FA implemented by the bank.
Phishing page prompting for OTP may create suspicion in victims, hence we suspect the TA started distributing SMS stealer to automate the OTP stealing process like other phishing campaigns.
Looking at the trend of this phishing campaign, we may expect updated malware in the coming days, with new banking targets and techniques to harvest credentials and perform fraudulent transactions.
Our Recommendations
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Means. |
| Initial Access | T1444 | Masquerade as a Legitimate Application |
| Discovery | T1426 | System Information Discovery |
| Persistence | T1402 | Broadcast Receivers |
| Collection | T1412 | Capture SMS Messages |
| Credential Access | T1411 | Input Prompt |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 75b0d191544f1e96f9bdec94df3556aa7db1808f0f 2e194f6a882154857d0384 |
SHA256 | Hash of the analyzed custom SMS stealer |
| f2634015dceb01106d6ba20ac50a0dea436a74ff | SHA1 | Hash of the analyzed custom SMS stealer |
| 914e60fa50bb5dafd67c610c716fd76a | MD5 | Hash of the analyzed custom SMS stealer |
| hxxps://ionicio[.]com/ | URL | C&C URL |
| hxxps://id-bri-login.apk- online[.]com/download.php |
URL | Phishing site downloading SMS stealer |
| a19429c1ef1184a59d9b9319947070239a50ad55a 04edc1104adb2a6ae4803cb |
SHA256 | Hash of the analyzed SMSeye Stealer |
| 89f13aeda53fd02cfd69588af9c8797cfa0f9d00 | SHA1 | Hash of the analyzed SMSeye Stealer |
| 7aa828231a5b52a3ae3a6926f6996257 | MD5 | Hash of the analyzed SMSeye Stealer |
| hxxps://skematrf-login[.]apk-ind.com/ | URL | Phishing site downloads SMSeye stealer |
| hxxps://skematrf-login[.]apk-ind.com hxxps://brimo-login-id.apk-ind[.]com hxxps://brimo-login-ind.apk-online[.]com hxxps://login-bri-ib[.]apk-ind.com hxxps://id-bri-login[.]apk-online.com hxxps://id-login-brimo[.]apk-ind.com hxxps://id-login-brimo[.]apk-online.com hxxps://login-brimo-tarif[.]com |
URL | Phishing sites distributing SMS stealer |
