SMS scams trick Indian banking customers into installing malicious apps
Zscaler’s ThreatLabz researchers recently observed the rise of a sophisticated phishing campaign spreading via fake banking sites targeting big indian banks like HDFC, AXIS and SBI. The team will continue monitoring the emerging situation and will provide an update on any significant new developments. Previously, ThreatLabz researchers observed Indian banking customers being targeted with fake complaint forms from phishing sites spreading short message service (SMS) mobile text stealer malwares. In contrast, this new campaign leverages fake card update sites to spread Android-based phishing malware aimed at collecting banking information for financial fraud.
Campaign 1: Targeting HDFC and Axis banks
Threatlabz researchers observed domains serving links for fake bank related application downloads as shown in Fig.1 and Fig.2 below.
Fig 1. Imitation application phishing site targeting HDFC bank customers
Fig 2. Imitation application phishing site targeting Axis bank customers
The two screenshots shown above show how these phishing scammers impersonate banking sites to gain customers' sensitive information by incentivizing them to fill out fake applications to redeem their earned card points for cash or a voucher. In most cases, these sites are being spread through SMS text messages to victims. Once a user clicks on the contained link, the victim is prompted to install an android-based phishing malware, designed to steal critical financial data.
Fig 3. Phishing page for HDFC bank credit card application
Upon opening the app, the user will see the fake page as presented in Fig 3 prompting them to enter sensitive information including card number, expiration date, cardholder name, phone number, DOB, etc., to redeem points for cash or vouchers, shown in the screenshot above. Once the victim submits their sensitive information into the fake form, the malware sends a copy to the command-and-control server (C2) shown in the screenshot below.
Fig 4. In-App phishing page creation and C2
On the second run or completion of the prompted tasks, a timer screen is displayed to the user, revealed in the code shown in Fig 5 below.
Fig 5. Final page show to user as second snap in Fig 3
Upon receiving all the victim’s sensitive form-fill information including card details, the threat actor is now capable of initiating fraudulent financial transactions. All they require to carry out the attack is a one-time password (OTP).
To collect the OTP, victims are further prompted to provide SMS permission access to the malicious app at the time of installation. Once the user provides this access to SMS permissions, the malware is capable of exfiltrating received SMS text messages containing the OTP codes they need. To complete a transaction initiated using the user's card details, the application will intercept the OTP codes and forward them to the C2 server.
Fig 6. Writing phishing data in shared preferences and MFA extraction
This malware also employs a cloaking technique that prevents it from running a second time. It writes data in the modifiable shared preferences settings using first time install data written in the “time” object as its reference point to block users from seeing the card phishing page again.
Fig 6. Cloaking to not load phishing page after first-time run
Campaign 2: targeting SBI bank customers with KYC verification scam
In other campaigns, ThreatLabz researchers observed adversaries sending SMS text messages prompting users to immediately update the ‘Know Your Customer’ (KYC) identity verification banking requirement or conduct another similarly urgent action to avoid account blocking or lock out. This false sense of urgency created by adversaries is very effective at convincing victims to perform the requested action including downloading apps to perform the task. In the cases observed in this article, all of these requests were fake and the attacks infected users with malicious apps and stole personal banking information.
The screenshot below shows an attack where the user is prompted to download a malicious app to unlock their account.
Fig 7. Smishing campaigns
Unlike campaign 1 where applications were seen using in-app fake login pages, in this campaign SBI bank KYC verification scam, applications are relying on command servers to render the phishing pages. ThreatLabz researchers think that this is how the malware authors are able to create new campaigns so quickly, since only few changes such as updating C2 destinations are required to spin up a new campaign.
The application starts with prompting users to login to a fake SBI bank web page and then to update the KYC verification, shown in Fig 8 below.
Fig 8. Fake Login page redirect hosted on firebase
Users are navigated through a series of web pages hosted on firebase upon entering banking credentials, mobile number, etc., shown in Fig 9.
Fig 9. Login data phishing used to steal banking credentials
The user is prompted to enter an OTP during each fake update step to make the application appear legitimate, shown in Fig 10 below, this tactic can also be used to steal the OTP and gain access.
Fig 10. Prompting users for OTP
The user is directed to a page and prompted to provide banking information, shown in Fig 11 below. Along with the bank details, the user is prompted to enter their Permanent Account Number (PAN) .
Fig 11. Application prompts user to provide sensitive banking information
Apart from collecting OTPs through phishing pages, malware developers have also implemented code routines to harvest OTPs from incoming SMS text messages and send them to a secondary C2 as well as a hard coded phone number, as shown below.
Fig 12. Code to send incoming SMS data to C2
Fig 13. Testing of SMS data exfiltration to static number
Fig 14. Traffic showing data upload to a remote server
Zscaler sandbox is able to detect malware threat behavior and techniques.
Fig 15. Zscaler sandbox report showing detection of malicious applications
Zscaler advises users to not install any unknown applications sent through SMS text messages, especially if the messages identify with a financial institution or bank, this is a common practice used by threat actors to impose a false sense of urgency on users to act immediately without additional scrutiny.
Indicators of Compromise (IOC)
Campaign 1 IOCs
Domains:
hxxps[://]updateyourcard[.]in/HDFC_Credit_Card[.]apk
hxxps[://]cardupdatation[.]in/
hxxps[://]cardupdate[.]in/
hxxp[://]pointincash[.]xyz/hdfc_version1.0[.]9[.]1[.]apk
MD5s:
df0b9265d07ffe523884f98613db8401
47eebf0d4ab713d53ec9f3b992777c18
a57c255e5e69d843a1c402df96ced959
ce8e95ef802d9943c2ff7abea1aa94da
Campaign 2 IOCs
Domains:
hxxps[://]sheltered-dawn-11337[.]herokuapp[.]com/SBI-KYC[.]apk
hxxps[://]sbi-kyc-update-immediately[.]web[.]app/SBI-KYC[.]apk
hxxps[://]sbi-users-kyc-1[.]web[.]app/SBI-KYC[.]apk
hxxps[://]sbi-user-kyc-app[.]web[.]app/SBI-KYC[.]apk
hxxps[://]kyc-update-app[.]web[.]app/SBI-KYC[.]apk
hxxps[://]sbi-kyc-apps-v-23[.]web[.]app/SBI-KYC[.]apk
hxxps[://]point-dekho[.]xyz/save_sms[.]php
hxxps[://]sbi-kyc-app[.]web[.]app/sbi-kyc[.]apk
hxxps[://]sbi-kyc-points[.]web[.]app/sbi-kyc[.]apk
hxxps[://]sbi-kyc-points[.]firebaseapp[.]com/sbi-kyc[.]apk
hxxps[://]sbi-kyc-update-immediately[.]firebaseapp[.]com/sbi-kyc[.]apk
hxxps[://]applicationkyc[.]pages[.]dev/SBI-KYC[.]apk
hxxps[://]calm-fjord-69600[.]herokuapp[.]com/SBI-KYC[.]apk
hxxps[://]calm-garden-42338[.]herokuapp[.]com/SBI-KYC[.]apk
hxxps[://]please-visitnow-immediately[.]com/SBI-KYC[.]apk
hxxps[://]publicationofindia[.]top/SBI-KYC[.]apk
MD5s:
0076369748034430dd9345fecd0d130a
f8509e2b72b3ba5916d80888b990b285
f0b6619e42722673e6599471a048edb1
436370a26633fb3a86f2ae2f09bcdb18
1aa0baa0c2fa54a89ecbfe71225726c6
331a9054e877a7210789315f7bcd2620
*** This is a Security Bloggers Network syndicated blog from Blog Category Feed authored by Himanshu Sharma. Read the original post at: https://www.zscaler.com/blogs/security-research/sms-scams-trick-indian-banking-customers-installing-malicious-apps
