Cybercriminals expand targeting of Iranian bank customers with known mobile malware


Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers.

The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their capabilities, according to U.S.-based cybersecurity firm Zimperium.

Initially, the threat actor behind the campaign created 40 credential-harvesting apps imitating four major Iranian banks, including Bank Mellat, Bank Saderat, Resalat Bank and Central Bank of Iran.

These apps mimicked legitimate versions found on the popular Iranian marketplace Cafe Bazaar and were distributed through several phishing websites. The first campaign lasted from December 2022 until May 2023.

In the ongoing campaign detected by Zimperium, the hackers created malicious apps that now imitate 12 Iranian banks. Once installed, these apps also scan victims’ phones to find cryptocurrency wallet apps — an indication that they could be targeted in the future, researchers said.

The earlier versions of fake apps could steal banking login credentials and credit card information, intercept SMS traffic to steal one-time passwords used for authentication, and hide app icons to prevent uninstallation.

In a new campaign, the hackers added more capabilities to their malware to make it easier to harvest credentials and steal data. The hackers also narrowed their focus to Xiaomi and Samsung devices to execute some of the malware features, according to the report.

Other evidence suggests that the attackers are now likely working on a malware variant that targets iOS devices, the researchers said.

In addition to malicious apps, the same threat actor is linked to phishing attacks targeting customers of the same banks. “The phishing campaigns used are sophisticated, trying to mimic original sites in the closest detail,” researchers said. The data stolen by the phishing sites is sent to Telegram channels controlled by hackers.

It is not yet clear which threat actor is behind this campaign and how many users were affected by it.

Last week, researchers at Microsoft uncovered a similar information-stealing campaign targeting customers of Indian banks with mobile malware. The cybercriminals behind the campaign trick users into installing fraudulent banking apps on their devices by impersonating legitimate organizations, such as financial institutions, government services and utilities.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Ukrainian gets 8-year sentence for running marketplace for Americans’ data

Next Post

Okta security breach affected all customer support system users

Related Posts

China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws

A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an "aggressive" campaign. Google-owned Mandiant is tracking the activity under its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a "former
Siva Ramakrishnan
Read More