Cyble-Blogs-SMS-Stealer

Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer

Threat Actor leveraging SMSeye stealer to Bypass 2FA

Online banking is convenient as it allows users to make money transfers, bill payments, verify their balance, and access accounts 24/7 at their fingertips. Like regular online banking customers, cybercriminals also benefit from online banking by committing financial fraud using various scams.

Scammers come with different sophisticated social engineering techniques, targeting online banking users to steal banking credentials. Phishing is one of the techniques mostly used by attackers to target their victims.

However, phishing attack alone is not sufficient to perform fraudulent transactions, as banks have implemented Two-Factor Authentication (2FA) to prevent unauthenticated login and money transfer. Threat Actors (TAs) have come one step ahead and started stealing OTP (One-Time Password) to bypass 2FA.

Recently, Cyble Research and Intelligence Labs identified a similar phishing campaign targeting Bank Rakyat Indonesia (BRI) – An Indonesian bank. Threat Actors behind this campaign started with a phishing attack and later shifted the focus to automate OTP fetching from an infected device using Android malware.

The identified phishing sites mimic the BRI bank and lure victims into submitting banking credentials by offering a low tariff rate on each transaction. Below are a few malicious sites that only use phishing attacks to harvest credentials and OTPs.

  • hxxps://formullir-tarlf[.]com/NAS_BRI_TARIF_UPDATE9999
  • hxxps://britarif[.]ftml.my.id
  • hxxps://layanan[.]sch.id
  • hxxps://perubahan.tarif-layananbri[.]my.id

Figure 1 – Phishing site stealing net banking credentials and OTP

Along with the above phishing sites, we have identified 8 additional phishing sites related to the same campaign, downloading SMS Stealer Android malware to steal the OTP from the victim’s device.

  • hxxps://skematrf-login[.]apk-ind.com
  • hxxps://brimo-login-id.apk-ind[.]com
  • hxxps://brimo-login-ind.apk-online[.]com
  • hxxps://login-bri-ib[.]apk-ind.com
  • hxxps://id-bri-login[.]apk-online.com
  • hxxps://id-login-brimo[.]apk-ind.com
  • hxxps://id-login-brimo[.]apk-online.com
  • hxxps://login-brimo-tarif[.]com

All these malicious sites use the same phishing technique to harvest credentials. Initially, the malicious site asks the user to choose the tariff option, login credentials, and 6-digit net banking PIN but does not prompt the user for OTP, as shown in the figure below.

Figure 2 – Phishing attack to steal credentials and PIN

After submitting the login credentials and PIN, the phishing site prompts the victim to download and install the APK file to continue the process. Once the victim clicks on the “Download” button, the malicious site downloads the SMS stealer APK as shown in the below figure.

Figure 3 – Downloads SMS stealer APK

Upon further investigation, we discovered that the phishing sites downloaded two different APK files to steal OTP. The TA has created a custom SMS stealer as well using SMSeye – an open-source android malware to steal OTP. The detailed analysis of both SMS stealers is explained in the Technical Analysis section below.

Technical Analysis Of Custom SMS Stealer

APK Metadata Information

  • App Name: Brimo
  • Package Name: com.ngscript.smstest
  • SHA256 Hash: 75b0d191544f1e96f9bdec94df3556aa7db1808f0f2e194f6a882154857d0384

The below figure shows the metadata information of the application. 

Figure 4 – App Metadata Information 

The malware uses the icon of the BRI mobile banking application to appear genuine and lure the victim into believing that the downloaded application from a malicious site is harmless.

Manifest Description

The harmful permissions requested by the malware are:  

Permission  Description 
RECEIVE_SMSAllows an application to receive SMS messages

Source Code Review

The custom SMS stealer is distributed via hxxps://id-bri-login[.]apk-online.com/download[.]php, a phishing site.

Upon installation, the malicious application prompts the victim to grant SMS permission and later loads a genuine BRI site into a WebView as shown in the below image.

Figure 5 – Loading genuine BRI banking site

Simultaneously, in the background malware collects basic device information such as device name, model number, etc, and sends them to the Command and Control (C&C) server.

Figure 6 – Code used to collect device information and load the genuine site

Malware has registered a SMSReceiver in the Manifest file. Whenever an infected device receives an SMS, the malware collects the incoming SMSs and sends them to the C&C server hxxps://ionicio[.]com.

Figure 7 – Malware steals incoming SMSs from an infected device

Interestingly, the same C&C server has been observed in a campaign identified by Reversing Labs that installs malicious NPM modules to harvest sensitive data from forms embedded in mobile applications and websites. This indicates that TA does not only rely on phishing attacks but also focuses on a different platform for other malicious activities.

Technical Analysis Of SMSeye Malware

APK Metadata Information

  • App Name: BRImo
  • Package Name: abyssalarmy.smseye
  • SHA256 Hash: a19429c1ef1184a59d9b9319947070239a50ad55a04edc1104adb2a6ae4803cb

The below Figure shows the metadata information of the application. 

Figure 8 – App Metadata Information 

Manifest Description 

The harmful permissions requested by the malware are:  

Permission  Description 
RECEIVE_SMSAllows an application to receive SMS messages

Source Code Review 

The malicious application is downloaded via hxxps://skematrf-login[.]apk-ind.com/download.php phishing site. Like the custom SMS stealer, this malicious Android file also uses BRI bank’s logo to appear genuine and loads the genuine site into a WebView.

The malware has registered the “SmsEyeSmsListener” receiver in the manifest file. This receiver will receive the incoming SMS from an infected device and sends them to the TA’s Telegram bot.

Figure 9 – Malware stealing incoming SMSs and sending them to the Telegram bot

Looking at the package name and references of Kotlin files present in the code, we were able to find the open-source project “Sms Eye” available on GitHub. The TA has followed all the steps mentioned on the GitHub page and updated the bot number and main loading URL in the files present in the assets folder.

Figure 10 – Assets file present in malware

The “Sms Eye” project is created recently on October 14, 2022, to spy on incoming SMSs of an infected device and forward them to the Telegram bot. Although Spyware has only SMS stealing functionality but using it with sophisticated phishing techniques, TA can perform fraudulent transactions. 

Figure 11 – Open-source GitHub project “Sms Eye” used by TA

Conclusion

CRIL continuously monitors various phishing campaigns that distribute Android malware. Such campaigns usually start with sophisticated phishing attacks and later they evolved into using various malware for stealing sensitive information.

According to our research, TA was using phishing techniques alone to harvest credentials and later started distributing SMS stealers to steal OTPs from an infected which will be used to bypass 2FA implemented by the bank.

Phishing page prompting for OTP may create suspicion in victims, hence we suspect the TA started distributing SMS stealer to automate the OTP stealing process like other phishing campaigns.

Looking at the trend of this phishing campaign, we may expect updated malware in the coming days, with new banking targets and techniques to harvest credentials and perform fraudulent transactions.

Our Recommendations

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
DiscoveryT1426System Information Discovery
PersistenceT1402Broadcast Receivers
CollectionT1412Capture SMS Messages
Credential AccessT1411Input Prompt
ExfiltrationT1567Exfiltration Over Web Service

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
75b0d191544f1e96f9bdec94df3556aa7db1808f0f
2e194f6a882154857d0384
SHA256Hash of the analyzed custom SMS stealer
f2634015dceb01106d6ba20ac50a0dea436a74ffSHA1Hash of the analyzed custom SMS stealer
914e60fa50bb5dafd67c610c716fd76aMD5Hash of the analyzed custom SMS stealer
hxxps://ionicio[.]com/URLC&C URL
hxxps://id-bri-login.apk-
online[.]com/download.php
URLPhishing site downloading SMS stealer
a19429c1ef1184a59d9b9319947070239a50ad55a
04edc1104adb2a6ae4803cb
SHA256Hash of the analyzed SMSeye Stealer
89f13aeda53fd02cfd69588af9c8797cfa0f9d00SHA1Hash of the analyzed SMSeye Stealer
7aa828231a5b52a3ae3a6926f6996257MD5Hash of the analyzed SMSeye Stealer
hxxps://skematrf-login[.]apk-ind.com/URLPhishing site downloads SMSeye stealer
hxxps://skematrf-login[.]apk-ind.com
hxxps://brimo-login-id.apk-ind[.]com
hxxps://brimo-login-ind.apk-online[.]com
hxxps://login-bri-ib[.]apk-ind.com
hxxps://id-bri-login[.]apk-online.com
hxxps://id-login-brimo[.]apk-ind.com
hxxps://id-login-brimo[.]apk-online.com
hxxps://login-brimo-tarif[.]com
URLPhishing sites distributing SMS stealer
Scroll to Top