Banking Trojan Targets Banking Users in Malaysia

Trojans pose a serious threat to Android devices as they are difficult to identify as they perform malicious activities behind the garb of legitimate features. This blog focuses on one such malicious Android application that pretends to be a cleaning service in Malaysia to target users through SMS stealing and stealing bank credentials. This application appears to be mimicking the official website of cleaningservicemalaysia[.]com by creating a fake website and Android application to trick unsuspecting users into stealing their SMS data and Net banking credentials. 

Cyble Research Labs came across a Twitter post, wherein researchers mentioned this Android malware. This malicious app has the name Cleaning Service Malaysia. On further analysis, we observed the Threat Actors (TAs) behind this also have a website hosted on hxxps://www.csapks.online/app_abc771_2sfacslfffcs2/cleaningservicemalaysia_888a/core/main[.]php.  

Once the execution of this malware is successful, it can steal sensitive data such as SMS data and Net Banking credentials of Malaysian banks. 

Technical Analysis

​​APK Metadata Information

• ​App Name: Cleaning Service Malaysia
• ​Package Name: com.company.gamename
• ​SHA256 Hash: 7845bb247dbfad94018047afbb2f5e1d9e54752b620d995033c695d9a2d104a0 ​

​Figure 1 shows the metadata information of the application. 

​Figure 2 shows the application icon and name. 

Manifest Description

​The malware requests twenty-four different permissions, out of which few are declared multiple times. Out of these permissions, attackers can abuse one permission in particular, the RECEIVE_SMS permission.

​We have listed the dangerous permissions below. 

​Permissions	​Description
​RECEIVE_SMS	​Allows the app to receive and process SMS messages.

​Table 1: Permission Abused by the Malware 

​Figure 3 shows the launcher activity of the malware.​ 

​Source Code Description

​The code snippet shown in Figure 4 shows how the malware receives the incoming messages and uploads them to the Command and Control (C&C) server. 

​Figure 5 shows the traffic analysis of the malware where it sends incoming messages to the C&C server: hxxps://redlabapi[.]online/api_spa24125/api_espanol/api.php?sid=1295c8887ec39859&sms=hey,%20how%20are%20you. 

Phishing Activities

Once users schedule the cleaning service through this malicious application, the application requests for the user’s details such as name, phone number, and address, and sends the collected data to the C&C server as plain text, as shown in figure 6 and 7. 

Once users enter the details, the malware requests them to complete the payment process for the cleaning service. We observed that to complete the transaction, the malware has listed multiple Malaysian banks’ Internet Banking options, as shown in the below figure. 

Once users continue with the payment process by choosing a bank’s Internet Banking service, the malware loads a page designed to look like the bank’s legitimate Internet Banking page. We have represented the analysis of one such case, as shown in figure 9. 

On further analysis, we observed that the TAs have hosted the Bank’s Internet Banking pages on their Infrastructure server: hxxps://www.csapks[.]online/app_abc771_2sfacslfffcs2/fpx_888a/AFF/AFF.php , as shown in the below figure. 

During traffic analysis, we observed that the malware steals the victim’s internet banking credentials and uploads them to the TA infrastructure, as shown below. 

Other Observations

On further analysis, we identified that the TAs have hosted a similar website also on their C&C server URL: hxxps://www.csapks[.]online/app_abc771_2sfacslfffcs2/cleaningservicemalaysia_888a/core/main.php., as shown in Figure 12.  

On the TA website, we found that the social media accounts are mentioned as their contact medium, as shown below.   

Interestingly, the analysis of the social media accounts showed that the social media account details provided on the website belong to a legitimate company known as BALABUSTA BROOKLYN as shown in Figure 14. 

The snippet below represents the Instagram account mentioned on the TA’s website. This account seems to be newly created with very few posts and followers. We suspect that the same account is used by the TAs for malicious activities. 

On further analysis, we reached a legitimate website that has a similar UI and services with a similar name as Cleaning Service For All. Thus, we suspected that the malware is designed to mimic the legitimate website to trick users into stealing their sensitive data. 

Conclusion

Banking Trojans are created to target users of banking services to steal financial information such as SMSes and Net banking credentials, etc. 

TA constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to deceive users into installing them. 

Users should install applications only after verifying their authenticity, besides ensuring that applications are installed from the registered Play Stores to avoid such cyberattacks. 

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection?

• Download and install software only from official app stores like Google Play Store & Apple App Store.
• Use a reputed Anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Enable device security features such as fingerprint or password for unlocking the mobile device.

• Be wary of opening any links present in SMSs or Emails delivered to your phone.
• Ensure that Google Play Protect is enabled on Android devices.
• Be careful while enabling any permissions.
• Keep your devices, operating systems, and applications updated to the latest versions.

How to identify whether you are infected?

• Regularly check the Mobile/Wi-Fi Data usage of applications installed in mobile devices.
• Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

• Disable Wi-Fi/Mobile Data and remove SIM Card as in some cases the malware can re-enable the Mobile Data
• Perform Factory Reset

• Remove the application, in case factory reset is not possible
• Take a backup of personal media Files (Exclude Mobile Applications) and perform Reset

What to do in case of any fraudulent transaction?

• In case of a fraudulent transaction, immediately report it to the concerned bank

What banks should do to protect customers?

• Banks and other financial entities should educate customers on safeguarding from malware attacks using modes such as telephone, SMSes, or emails.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Initial Access	T1476	Deliver Malicious App via Other Means
Execution	T1575	Native Code
Persistence	T1402	Broadcast Receivers
Credential Access	T1552	Unsecured Credentials
Collection	T1412	Capture SMS Messages
Exfiltration	T1567	Exfiltration Over Web Service
Impact	T1400	Modify System Partition

Indicators of Compromise (IOCs)

Indicators	Indicator type	Description
7845bb247dbfad94018047afbb2f5e1d9e54752b620d995033c695d9a2d104a0	SHA256	Malicious APK
hxxps://www.csapks[.]online/	URL	TA Portal
hxxps://redlabapi[.]online/api_spa24125/api_espanol/api.php?sid=1295c8887ec39859&sms=hey,%20how%20are%20you	URL	TA C&C