Hackers are taking legitimate banking apps and decompiling them in order to add malicious code, then spreading them through common threat schemes like phishing lures and fake look-a-like websites. According to researchers at Group-IB, these poisoned apps may be linked to the GoldFactory group which is also known for stealing facial recognition data.
This malware campaign has enabled them to not only expose thousands of people to banking fraud, but also to get full control over an infected device. The attackers also add trojans or backdoors to the apps and in total, Group-IB found 27 original banking applications that had been tampered with so far. After injecting malicious code into an app, the hackers behind this campaign will then impersonate a government agency or service through smishing, phishing or social engineering tactics so that potential victims are fooled into visiting a website that mimics an actual government website.
The victim may be instructed to borrow an Android device to complete the process or given a link to a website that resembles the actual Google Play Store but is used to deliver an APK file. Unfortunately, because the fake app behaves in the same way as the legitimate app would, the victim doesn’t realize that they aren't interacting with a regular government agency or business.
Once the download is complete, the victim is prompted to enable a number of unnecessary permissions on their device. This allows the threat actors to steal a victim's login credentials, as well as monitor their activity, commit financial fraud and even take over their device. The group can remove traces of their activity once they’ve completed these malicious behaviors too.
Group-IB points out that GoldFactory uses “advanced hooking malware families” – called SkyHook, FriHook, PineHook or Gigabug which can bypass many built-in app integrity checks to hid their malicious behaviors. These malware families can also allow the attackers to capture sensitive data, automate on screen actions and even remotely view and operate the victims phone.
While the victims so far have been concentrated in the areas that GoldFactory usually operates in – Vietnam, Thailand and Indonesia – the approach could easily be deployed to other countries like the U.S. or the U.K.
How to stay safe from malware
Fortunately, this campaign isn't very widespread – yet. However, as with most phishing, vishing and smishing campaigns, the best way to protect yourself is to stay calm and think critically about the messages you receive. Be extremely suspicious of any messages from a government agency or service that arrive through non-official channels. Does your power company typically send you text messages? Is it normal for the Department of Health to contact you through your mobile device?
With any unexpected message, the rules always remain the same: Never, ever click on any link or code in a message if you don't know who's sending it. Don't download anything if you don't know who is sending it and haven't verified it. If someone is contacting you requesting that you download something, hang up or don't respond to the text and contact that office independently and verify that the request is legitimate.
Likewise, you always want to check the URLs of the websites you visit or manually enter them in yourself to make sure that you're going to the correct website. Always make sure that you have the best antivirus software up and running on your devices as most of them have features that will alert you if you visit a suspicious website, or attempt to download a program that isn't legitimate. They also have additional features like a VPN, ransomware rollback and more that can help you stay safe when you go online.
This campaign may be limited to several countries in Southeast Asia now but given how successful it's been so far, I could easily see it spreading. For this reason, you want to make sure that you always practice good cyber hygiene and that you're especially wary of unsolicited messages that claim to be from a government agency or business. That way, you can avoid falling victim to this new malware campaign if it does end up spreading to other countries.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
- New Android banking trojan lets hackers stream a live feed from your phone and control it in real time — how to stay safe
- Billions of Chrome users at risk from 13 security flaws including four high-severity ones — update your browser right now
- FBI says scammers are stealing Instagram photos to fake kidnappings for ransom money — here's how to spot it
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
