Home Cyber Security 200+ Malicious Android Apps Focusing on Iranian Banks: Specialists Warn

200+ Malicious Android Apps Focusing on Iranian Banks: Specialists Warn

200+ Malicious Android Apps Focusing on Iranian Banks: Specialists Warn


Nov 29, 2023NewsroomCellular Safety / Malware

Android malware

An Android malware marketing campaign concentrating on Iranian banks has expanded its capabilities and included extra evasion ways to fly beneath the radar.

That is in response to a brand new report from Zimperium, which found greater than 200 malicious apps related to the malicious operation, with the risk actor additionally noticed finishing up phishing assaults towards the focused monetary establishments.

The marketing campaign first got here to gentle in late July 2023 when Sophos detailed a cluster of 40 credential-harvesting apps concentrating on prospects of Financial institution Mellat, Financial institution Saderat, Resalat Financial institution, and Central Financial institution of Iran.

The first objective of the bogus apps is to trick victims into granting them in depth permissions in addition to harvest banking login credentials and bank card particulars by abusing Android’s accessibility companies.

“The corresponding official variations of the malicious apps can be found at Cafe Bazaar, an Iranian Android market, and have tens of millions of downloads,” Sophos researcher Pankaj Kohli mentioned on the time.


“The malicious imitations, then again, have been accessible to obtain from numerous comparatively new domains, a few of which the risk actors additionally employed as C2 servers.”

Curiously, a few of these domains have additionally been noticed to serve HTML phishing pages designed to steal credentials from cellular customers.

The newest findings from Zimperium illustrate continued evolution of the risk, not solely when it comes to a broader set of focused banks and cryptocurrency pockets apps, but in addition incorporating beforehand undocumented options that make it stronger.

This contains the usage of the accessibility service to grant it extra permissions to intercept SMS messages, forestall uninstallation, and click on on consumer interface parts.

Some variants of the malware have additionally been discovered to entry a README file inside GitHub repositories to extract a Base64-encoded model of the command-and-control (C2) server and phishing URLs.

“This enables attackers to shortly reply to phishing websites being taken down by updating the GitHub repository, guaranteeing that malicious apps are at all times getting the newest energetic phishing website,” Zimperium researchers Aazim Yaswant and Vishnu Pratapagiri mentioned.

One other noteworthy tactic is the usage of intermediate C2 servers to host textual content information that include the encoded strings pointing to the phishing websites.

Whereas the marketing campaign has thus far educated its eyes on Android, there’s proof that Apple’s iOS working system can be a possible goal primarily based on the truth that the phishing websites confirm if the web page is opened by an iOS system, and if that’s the case, direct the sufferer to an internet site mimicking the iOS model of the Financial institution Saderat Iran app.

It is at present not clear if the iOS marketing campaign is beneath growth phases, or if the apps are distributed via an, as of but, unidentified supply.


The phishing campaigns are not any much less refined, impersonating the precise web sites to exfiltrate credentials, account numbers, system fashions, and IP addresses to 2 actor-controlled Telegram channels.

“It’s evident that fashionable malware is turning into extra refined, and targets are increasing, so runtime visibility and safety are essential for cellular functions,” the researchers mentioned.

The event comes a bit over a month after Fingerprint demonstrated a way by which malicious Android apps can stealthily entry and duplicate clipboard knowledge by leveraging the SYSTEM_ALERT_WINDOW permission to obscure the toast notification that is displayed when a specific app is studying clipboard knowledge.

“It is potential to overdraw a toast both with a unique toast or with every other view, utterly hiding the unique toast can forestall the consumer from being notified of clipboard actions,” Fingerprint mentioned. “Any software with the SYSTEM_ALERT_WINDOW permission can learn clipboard knowledge with out notifying the consumer.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.


Supply hyperlink


Please enter your comment!
Please enter your name here