Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cyber Gang Steals Millions From Mobile Banking Customers in South Korea

A Chinese cyber-gang operating under the radar has been able to siphon a small fortune from mobile bankers in South Korea during the past two years, according to a new report.

A Chinese cyber-gang operating under the radar has been able to siphon a small fortune from mobile bankers in South Korea during the past two years, according to a new report.

Dubbed the Yanbian Gang by researchers at Trend Micro, the cybercriminals used fake banking applications with the same icons and user interfaces as they legitimate apps to trick users. They also used other popular apps, such as utilities, chat, portal and security apps to rope users into their scam and steal their mobile banking credentials. These fake apps uploaded stolen user information such as mobile phone numbers, account names and numbers and login credentials to the attackers’ command and control (C&C) servers. Text messages were stolen and uploaded as well.

The group got its name from the region the gang is believed to operate in, the Yanbian Prefecture in Jilin, China. It is believed to consist of four groups – the organizers, cowboys, translators and the malware creators. The cowboys are responsible for collecting the proceeds from successful attacks and passing them onto the organizer; the translator localizes the threats depending on the country the gang wants to target; the malware creator makes the malware and the organizer brings everything together.

According to Trend Micro Mobile Security Engineer Simon Huang, the gang used a variety of Android malware for their schemes. None of the malware used by the gang was distributed through Google Play or third-party app stores. Instead, all of it was delivered through malicious text messages or downloaded by other malware.

Together, the group is believed to have stolen millions of dollars from mobile banking customers of at least five banks in South Korea since 2013.

“In our research, we saw fake versions of apps of five South Korean banks—KB Kookmin Bank, NH Bank, Hana Bank, Shinhan Bank, and Woori Bank. These apps steal user information and credentials,” Huang blogged. “They also have the ability to uninstall and take the place of the real apps they are spoofing. This allows them to run undetected while obtaining what they are after—victims’ personal account credentials that translate to financial gain for the fake apps’ operators.”

Advertisement. Scroll to continue reading.

The gang also created fake versions of other types of apps popular with Android users such as porn apps, the Google Play app and Adobe Flash Player. In their analysis Trend Micro examined a total of 1,007 fake Google app versions, 994 of which were fake versions of the Google Play app. The remaining 13 were fake versions of other Google apps.

“The hackers used fake banking and other popular apps to victimize more than 4,000 South Korean Android mobile banking customers throughout 2013 and 2014,” according to a research report by Trend Micro. “They also used effective social engineering lures like “The Interview” to bait victims into installing their fake apps.”

Another example of a lure used by the gang was to attempt to scare users into clicking on malicious links via SMS phishing messages presented as messages from law enforcement.

“When clicked, however, the link installed a malicious app in their devices that communicated with designated C&C servers to listen for commands,” the report notes. “We first spotted these malware in September 2013 and continued to see them till April 2014, proving the steadfast nature of the threats.”

Last year, a report from Trend Micro noted that China’s underground market for mobile malware and malicious services is thriving, with everything ranging from spamming to SMS forwarding Trojans for sale. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.