Connect with us

Hi, what are you looking for?


Malware & Threats

Cyber Gang Steals Millions From Mobile Banking Customers in South Korea

A Chinese cyber-gang operating under the radar has been able to siphon a small fortune from mobile bankers in South Korea during the past two years, according to a new report.

A Chinese cyber-gang operating under the radar has been able to siphon a small fortune from mobile bankers in South Korea during the past two years, according to a new report.

Dubbed the Yanbian Gang by researchers at Trend Micro, the cybercriminals used fake banking applications with the same icons and user interfaces as they legitimate apps to trick users. They also used other popular apps, such as utilities, chat, portal and security apps to rope users into their scam and steal their mobile banking credentials. These fake apps uploaded stolen user information such as mobile phone numbers, account names and numbers and login credentials to the attackers’ command and control (C&C) servers. Text messages were stolen and uploaded as well.

The group got its name from the region the gang is believed to operate in, the Yanbian Prefecture in Jilin, China. It is believed to consist of four groups – the organizers, cowboys, translators and the malware creators. The cowboys are responsible for collecting the proceeds from successful attacks and passing them onto the organizer; the translator localizes the threats depending on the country the gang wants to target; the malware creator makes the malware and the organizer brings everything together.

According to Trend Micro Mobile Security Engineer Simon Huang, the gang used a variety of Android malware for their schemes. None of the malware used by the gang was distributed through Google Play or third-party app stores. Instead, all of it was delivered through malicious text messages or downloaded by other malware.

Together, the group is believed to have stolen millions of dollars from mobile banking customers of at least five banks in South Korea since 2013.

“In our research, we saw fake versions of apps of five South Korean banks—KB Kookmin Bank, NH Bank, Hana Bank, Shinhan Bank, and Woori Bank. These apps steal user information and credentials,” Huang blogged. “They also have the ability to uninstall and take the place of the real apps they are spoofing. This allows them to run undetected while obtaining what they are after—victims’ personal account credentials that translate to financial gain for the fake apps’ operators.”

The gang also created fake versions of other types of apps popular with Android users such as porn apps, the Google Play app and Adobe Flash Player. In their analysis Trend Micro examined a total of 1,007 fake Google app versions, 994 of which were fake versions of the Google Play app. The remaining 13 were fake versions of other Google apps.

Advertisement. Scroll to continue reading.

“The hackers used fake banking and other popular apps to victimize more than 4,000 South Korean Android mobile banking customers throughout 2013 and 2014,” according to a research report by Trend Micro. “They also used effective social engineering lures like “The Interview” to bait victims into installing their fake apps.”

Another example of a lure used by the gang was to attempt to scare users into clicking on malicious links via SMS phishing messages presented as messages from law enforcement.

“When clicked, however, the link installed a malicious app in their devices that communicated with designated C&C servers to listen for commands,” the report notes. “We first spotted these malware in September 2013 and continued to see them till April 2014, proving the steadfast nature of the threats.”

Last year, a report from Trend Micro noted that China’s underground market for mobile malware and malicious services is thriving, with everything ranging from spamming to SMS forwarding Trojans for sale. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...