Fake Recruiters Distribute Banking Trojan via Malicious Apps in Phishing Scam

Avatar
Cybersecurity researchers have shed light on a sophisticated mobile phishing (aka mishing) campaign that’s designed to distribute an updated version of the Antidot banking trojan. “The attackers presented themselves as recruiters, luring unsuspecting victims with job offers,” Zimperium zLabs Vishnu Pratapagiri researcher said in a new report. “As part of their fraudulent hiring process, the

Cybersecurity researchers have shed light on a sophisticated mobile phishing (aka mishing) campaign that’s designed to distribute an updated version of the Antidot banking trojan.

“The attackers presented themselves as recruiters, luring unsuspecting victims with job offers,” Zimperium zLabs Vishnu Pratapagiri researcher said in a new report.

“As part of their fraudulent hiring process, the phishing campaign tricks victims into downloading a malicious application that acts as a dropper, eventually installing the updated variant of Antidot Banker in the victim’s device.”

The new version of the Android malware has been codenamed AppLite Banker by the mobile security company, highlighting its abilities to siphon unlock PIN (or pattern or password) and remotely take control of infected devices, a feature recently also observed in TrickMo.

The attacks employ a variety of social engineering strategies, often luring targets with the prospect of a job opportunity that claims to offer a “competitive hourly rate of $25” and excellent career advancement options.

In a September 2024 post identified by The Hacker News on Reddit, several users said they received emails from a Canadian company named Teximus Technologies about a job offer for a remote customer service agent.

Should the victim engage with the purported recruiter, they are directed to download a malicious Android app from a phishing page as part of the recruitment process, which then acts as a first-stage responsible for facilitating the deployment of the main malware on the device.

Zimperium said it discovered a network of phony domains that are used to distribute the malware-laced APK files that masquerade as employee-customer relationship management (CRM) apps.

The dropper apps, besides employing ZIP file manipulation to evade analysis and bypass security defenses, instruct the victims to register for an account, after which it’s engineered to display a message asking them to install an app update in order to “keep your phone protected.” Furthermore, it advises them to allow the installation of Android apps from external sources.

“When the user clicks the ‘Update’ button, a fake Google Play Store icon appears, leading to the installation of the malware,” Pratapagiri said.

“Like its predecessor, this malicious app requests Accessibility Services permissions and abuses them to overlay the device’s screen and carry out harmful activities. These activities include self-granting permissions to facilitate further malicious operations.”

The newest version of Antidot is packed in support for new commands that allow the operators to launch “Keyboard & Input” settings, interact with the lock screen based on the set value (i.e., PIN, pattern, or password), wake up the device, reduce screen brightness to the lowest level, launch overlays to steal Google account credentials, and even prevent it from being uninstalled.

It also incorporates the ability to hide certain SMS messages, block calls from a predefined set of mobile numbers received from a remote server, launch the “Manage Default Apps” settings, and serve fake login pages for 172 banks, cryptocurrency wallets, and social media services like Facebook and Telegram.

Some of the other known features of the malware include keylogging, call forwarding, SMS theft, and Virtual Network Computing (VNC) functionality to remotely interact with the compromised devices.

Users proficient in languages such as English, Spanish, French, German, Italian, Portuguese, and Russian are said to be the targets of the campaign.

“Given the malware’s advanced capabilities and extensive control over compromised devices, it is imperative to implement proactive and robust protection measures to safeguard users and devices against this and similar threats, preventing data or financial losses.”

The findings come as Cyfirma revealed that high-value assets in Southern Asia have become the target of an Android malware campaign that delivers the SpyNote trojan. The attacks have not been attributed to any known threat actor or group.

“The continued use of SpyNote is notable, as it highlights the threat actors’ preference for leveraging this tool to target high-profile individuals despite being publicly available on various underground forums and telegram channels,” the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

The Future of Network Security: Automated Internal and External Pentesting

Next Post

Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged

Related Posts

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21 – Oct 27)

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows. This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the
Avatar
Read More

TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns

New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device's unlock pattern or PIN. "This new addition enables the threat actor to operate on the device even while it is locked," Zimperium security researcher Aazim Yaswant said in an analysis published last week. First spotted in the wild in 2019, TrickMo is so named for
Avatar
Read More