Fabricated Bank website distributes Android Spyware

imToken’s increasing popularity exploited by Threat Actors

Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute malware and steal victims’ information. Recently, CRIL identified a phishing site hxxp://imt[.]tronlink.golf that displays a fabricated Bank called “IMTBANK”.

The Threat Actor (TA) has used this bank name in the phishing page that references imToken. imToken is an extremely popular digital crypto and Bitcoin wallet having over 12 million users in more than 150 countries.

The phishing site uses the icon of imToken to look genuine and lures the victim into downloading the malicious app to know the loan eligibility provided by a bank. When a user clicks on the DOWNLOAD button, the phishing sites download an APK file “IMTBANK.apk”. After conducting an in-depth analysis, we confirmed that the malicious app is a variant of SpyMax.

TAs typically prefer to steal the seed phrase of crypto-currency wallets, similar to the campaign we have explained in our analysis of Metamask. In this case, TA is leveraging the popularity of imToken, and delivering a Remote Access Trojan (RAT) to steal the information using a fake loan app.

The Threat Actor (TA) has provided some instructions to users as an activity introduction. The instruction includes downloading the imToken wallet app, logging into the app, depositing the amount, and insisting users sign in daily to receive the rewards.

The TA has also provided the genuine imToken link on the phishing website under the “Quick loan” section, as shown in the below image.

The phishing site has an “Invite Friends” activity where the TA has mentioned another similar phishing domain t.tronlink[.]golf, for spreading the malware. This domain has the same UI and downloads the same APK file.

In this blog post, we discuss our detailed analysis of fabricated banking loan applications targeting imToken users.

Technical Analysis

APK Metadata Information

• App Name: IMTYBANK
• Package Name: com.resources.installations
• SHA256 Hash: 97884c2b74ccffebdc91a439c4316c3215d0eb571a17820ce7da77355f21878c

Figure 4 shows the metadata information of the application.  

Manifest Description

The malicious application mentions 26 permissions in the manifest file, out of which the TA exploits 11. The harmful permissions requested by the malware are:  

Permission	Description
READ_CONTACTS	Access phone contacts
READ_CALL_LOG	Access phone call logs
READ_SMS	Access phone messages
CAMERA	Required to access the camera device.
READ_EXTERNAL_STORAGE	Allows the app to read the contents of the device’s external storage
RECORD_AUDIO	Allows the app to record audio with the microphone, which the attackers can misuse
WRITE_EXTERNAL_STORAGE	Allows the app to write or delete files to the external storage of the device
CALL_PHONE	Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call
ACCESS_FINE_LOCATION	Allows an app to access precise location
SYSTEM_ALERT_WINDOW	Allows an app to create windows on top of all other apps
REQUEST_INSTALL_PACKAGES	Allows an application to request installing packages.

Source Code Review

Upon installation, the malware prompts the victim to turn on Accessibility Service. As soon as the victim grants permission, the malware abuses the Accessibility service to prevent uninstallation and perform auto-gestures.

The malware then connects to the phishing URL hxxp://tt.tronlink[.]golf:32768/index.html and loads the fabricated IMTBank website, similar to the phishing website shown in Figure 1.

The phishing site is then loaded on infected Android devices, displays two buttons, “LOGIN” and “SIGN IN.”  When a user clicks on the “LOGIN” button, the malware opens the login page where the user can enter a username and password to login into the app. If the user is not registered already, the login will fail. The user can register into the app by providing a username, password, and wallet address, as shown in the image below.

When a user clicks on the “Apply” button, the malicious app prompts the user to enter a few basic details as a part of the loan application. It displays an application message in review after entering the details, as shown in the image below.

While the malware asks for the above loan application details, it is actually stealing the victim’s information in the background. The malware at work here is the SpyMax variant. SpyMax is a commercial spyware family with all the capabilities of Spying and allows TA to gather victims’ sensitive information.

SpyMax has been used in various campaigns as a spying tool in the past, and recently it has been distributed via fake websites.

The malware connects to the Command and Control (C&C) server and receives various commands to execute operations, as shown in the below image.

The code shown in the below image is capable of capturing the screenshots of the infected device and further sends all screenshots to the C&C server.

The malware abuses the Accessibility service not just to prevent uninstallation but also to steal sensitive data from an infected device. The code shown in the image below is used to fetch the 2FA code from the Google Authenticator app by abusing the Accessibility service and sending the stolen code to the C&C server.

The malware also steals the victim’s location using LocationManager[RS1]  APIs and sends them to the C&C server.

Conclusion

SpyMax is a well-known spying tool that has actively been used in various campaigns to steal victims’ information. Our research indicates that the TA used the loan app lure by leveraging imToken popularity to attract the victim into downloading SpyMax malware and stealing sensitive information.

Cyble Research & Intelligence Labs continuously monitors ongoing malicious attacks and updates our readers with the latest findings to be protected from such malicious threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection?

• Download and install software only from official app stores like Play Store or the iOS App Store.
• Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
• Be wary of opening any links received via SMS or emails delivered to your phone.
• Ensure that Google Play Protect is enabled on Android devices.
• Be careful while enabling any permissions.
• Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

• Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
• Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

• Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
• Perform a factory reset.
• Remove the application in case a factory reset is not possible.
• Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

• In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

• Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Initial Access	T1476	Deliver Malicious App via Other Mean.
Initial Access	T1444	Masquerade as Legitimate Application
Collection	T1512	Capture Camera
Persistence	T1402	Broadcast Receivers
Collection	T1513	Screen Capture
Collection	T1533	Data from Local System
Exfiltration	T1437	Standard Application Layer Protocol
Collection	T1436	Commonly used port
Input capture	T1417	Input capture

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
97884c2b74ccffebdc91a439c4316c3215d0eb571a17820ce7da77355f21878c	SHA256	Hash of the analyzed APK file
5b5ea9ab9b2bcb82f2762e5b8f589a2cd92ae264	SHA1	Hash of the analyzed APK file
d512359a8a11d6678e7d1be37a7fec5f	MD5	Hash of the analyzed APK file
hxxp://154.211.96[.]78:8088	URL	C&C server
hxxp://tt[.]tronlink.golf:32768/index.html	URL	Phishing website present in Android App
hxxp://imt[.]tronlink.golf/	URL	Malware distribution site
hxxp://t[.]tronlink.golf/	URL	Malware distribution site