HelloTeacher: New Android Malware Targeting Banking Users In Vietnam

Android Spyware Masqarading As Popular Messaging Applications For Stealing Sensitive Data

Cyble Research & Intelligence Labs (CRIL) discovered a new variant of Android Spyware that has set its sights on unsuspecting users in Vietnam. As the malware variant is new in the wild, hence we are referring to this malware as “HelloTeacher” based on the test service present in the source code.

HelloTeacher malware disguises itself as a popular messaging application like Viber or Kik Messenger, luring its targets into installing the malicious application. The malware is armed with sophisticated capabilities such as exfiltrating contact details, SMS data, photos, installed applications list, and even capturing pictures and recording infected device’s screen.

But that’s not all; the TA behind the HelloTeacher attempted to integrate this spyware with the power of a banking trojan by abusing an Accessibility Service. Their primary focus was on three prominent Vietnamese banks mentioned in the below table :

Package nameBanking Application name
com.tpb.mb.gprsandroidTPBank Mobile
com.mbmobileMB Bank
com.vietinbank.ipayVietinBank iPay

Unleashing this malware, the TA implemented code specifically designed to fetch account balances from “TPBank Mobile.” TA also tried to implement on-device fraud targeting MB Bank, attempting to insert values in the text fields of the MB Bank mobile application. While this particular module remains unfinished, it indicates that the TA behind the HelloTecheacher malware may come up with new features.

The following analysis focuses on the latest variant sample, identified by the hash value “00c614ce1a21b1339133240403617e9edc9f2afc9df45bfa7de9def31be0930e”. This sample cleverly utilizes the name and ICON of the legitimate Viber application, aiming to deceive users into believing it is a legitimate version and enticing them to install it on their devices. A comprehensive examination of this variant is provided in the subsequent section.

Technical Analysis

APK Metadata Information  

  • App Name: Viber
  • Package Name: com.zcq.mjb_08
  • SHA256 Hash: 00c614ce1a21b1339133240403617e9edc9f2afc9df45bfa7de9def31be0930e

  The figure below shows the metadata information of the application. 

Figure 1 – Application metadata information

Upon installation, HelloTeacher malware prompts the victim to enable the Accessibility service. Once it is granted, the malware starts abusing the Accessibility service to grant auto permissions and execute banking trojan functionalities.

Figure 2 – Prompting to enable the Accessibility Service

Figure 3 – Auto granting permissions

Meanwhile, in the background, the malware communicates with Command and Control (C&C) server hxxp://api.sixmiss[.]com/abb-api/client/ to send stolen information. The HelloTeacher uses the below URL pattern to send different data from an infected device to the C&C server.

  • /status – Malware sends basic device information to check the status of the socket connection
  • /log – Malware sends error logs
  • /data – Malware sends stolen information such as contact, SMS, and other details

The malware exploits the Accessibility services to monitor events related to a targeted banking application. Upon detecting user interaction with the TPbank mobile app, the malware checks the component ID associated with the genuine banking app’s account balance information (“com.tpb.mb.gprsandroid:id/accBalance”). Subsequently, the malware retrieves the account balance and stores it in a file named applog.txt. This file is later sent to the C&C server.

Figure 4 – Malware fetching balance from TPbank mobile application

Similarly, the TA also implemented code to steal the lock pattern or password using the Accessibility service and store it in the same file, “applog.txt”.

Figure 5 – Malware stealing screen lock password

Moreover, HelloTeacher malware also monitors the victim’s actions related to the MB Bank mobile application. By examining the node information of the legitimate banking app, the malware inserts the received text from the C&C server into the text field. However, it is currently unknown what specific value the malware is inserting into the text field, as the C&C server is offline, and the relevant code elements for the mobile banking application’s text field are absent.

Figure 6 – Malware targeting MB Bank

In addition, the malware examines elements associated with the password and username fields of the MB Bank mobile application. It checks for the presence of keywords related to “password” and “username” in both English and Vietnamese languages. The TA has included this code, but upon analyzing it, no further utilization of this method call was found. The incomplete code suggests that the malware is still in the development phase, and the TA is working towards enhancing the functionalities of the banking trojan.

Figure 7 – Incomplete code for fetching username and password of MB Bank application

The malware has the ability to receive commands from the C&C server and execute malicious operations on the compromised device. These operations include performing automated gestures, manipulating the display by opening and closing a black screen, and preventing uninstallation, among others.

Figure 8 – Malware receives commands from the C&C server

HelloTeacher malware employs MediaProjection to record the screen of the targeted device and send it to the C&C server, utilizing the type named “screen,” as shown in Figure 6. During the transfer of stolen information, the malware utilizes the variable “type”  as a label[DS1] [RP2]  to classify the data. For instance, it uses “contact” as the type when sending contacts and “photo” as the type for transmitting photos, and so forth.

Figure 9 – Malware starts screen recording

The malware also captures the picture using an infected device’s camera and sends the clicked pictures to the C&C server using the type “camera” as shown in the below figure.

Figure 10 – Malware capturing photos using the infected device’s camera

In addition to recording the screen and capturing photos, the HelloTeacher malware also gathers various sensitive data from a compromised device. This includes stealing text messages, contact information, photos, and a list of installed applications. The stolen information is then transmitted to the C&C server with their respective types.

Figure 11 – Malware stealing contact details

Figure 12 – Malware Steals SMSs data

Figure 13 – Malware stealing photos from external storage

Figure 14 – Malware stealing installed application package list

Furthermore, the malware has introduced a test service named “HelloTeacherService” which is triggered by the AlarmReceiver. The exact purpose of this service remains ambiguous, as its name implies that it is a testing service. However, we suspect that the TA may add new functionality to this test service.

Figure 15 – HelloTeacher test service

The TA has incorporated several Chinese language strings within the code. These strings have been utilized for logging purposes and, in certain instances, have been used in C&C communication. The inclusion of these Chinese-based strings has aroused suspicion regarding the possibility that the TA behind HelloTeacher malware may be originating from China.


The discovery of HelloTeacher Android malware, specifically aimed at users in Vietnam, highlights the evolving sophistication and deceptive tactics employed by malicious actors. The TA behind this spyware demonstrated their intent to incorporate banking trojan functionalities by leveraging an Accessibility Service, with a particular emphasis on prominent Vietnamese banks. The existence of unfinished banking trojan features suggests ongoing development and refinement of the malware, indicating the possibility of encountering a new variant in the near future.

To safeguard against such advanced malware, it is crucial for users to exercise vigilance and refrain from downloading popular messaging apps from third-party stores or suspicious websites. By adopting this cautious approach, individuals can significantly reduce the risk of falling victim to these sophisticated threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
CollectionT1432Access Contact List
CollectionT1412Capture SMS Messages
CollectionT1512Capture Camera
CollectionT1513Screen Capture
CollectionT1533Data from Local System
DiscoveryT1418Application discovery

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
00c614ce1a21b1339133240403617e9edc9f2afc9df45bfa7de9def31be0930eSHA256  Hash of analyzed APK
f1e674e58cd60b634febd0be0da38fee7fd40a5cSHA1  Hash of analyzed APK
43162a1c5494d6c84d940beaa7dbd507MD5Hash of analyzed APK
hxxp://api[.]sixmiss.comURLC&C server
d0dc26b3485b7e40ec400f681d39767042d30ae50f6f47340adc971cce7fba50SHA256  Hash of analyzed APK
ba20865f51d46f2bd25a3e6b9f11b26e220ed7eeSHA1  Hash of analyzed APK
b6fa402a0d0fab1dabeb3c90cd8847f9MD5Hash of analyzed APK
7c634665f5f2c3b837d7211bf92c095e7e1d6cd3aa4cb86ca75def4146b14ea6SHA256  Hash of analyzed APK
a8fe89c844699ea2aaba87afd9919907c17ac199SHA1  Hash of analyzed APK
5b0d2fc2107fd18a0cb125b4997e2d10MD5Hash of analyzed APK
hxxp://api[.]viberrx.comURL  C&C server

Comments are closed.

Scroll to Top