A Chinese cyber-gang operating under the radar has been able to siphon a small fortune from mobile bankers in South Korea during the past two years, according to a new report.
Dubbed the Yanbian Gang by researchers at Trend Micro, the cybercriminals used fake banking applications with the same icons and user interfaces as they legitimate apps to trick users. They also used other popular apps, such as utilities, chat, portal and security apps to rope users into their scam and steal their mobile banking credentials. These fake apps uploaded stolen user information such as mobile phone numbers, account names and numbers and login credentials to the attackers’ command and control (C&C) servers. Text messages were stolen and uploaded as well.
The group got its name from the region the gang is believed to operate in, the Yanbian Prefecture in Jilin, China. It is believed to consist of four groups – the organizers, cowboys, translators and the malware creators. The cowboys are responsible for collecting the proceeds from successful attacks and passing them onto the organizer; the translator localizes the threats depending on the country the gang wants to target; the malware creator makes the malware and the organizer brings everything together.
According to Trend Micro Mobile Security Engineer Simon Huang, the gang used a variety of Android malware for their schemes. None of the malware used by the gang was distributed through Google Play or third-party app stores. Instead, all of it was delivered through malicious text messages or downloaded by other malware.
Together, the group is believed to have stolen millions of dollars from mobile banking customers of at least five banks in South Korea since 2013.
“In our research, we saw fake versions of apps of five South Korean banks—KB Kookmin Bank, NH Bank, Hana Bank, Shinhan Bank, and Woori Bank. These apps steal user information and credentials,” Huang blogged. “They also have the ability to uninstall and take the place of the real apps they are spoofing. This allows them to run undetected while obtaining what they are after—victims’ personal account credentials that translate to financial gain for the fake apps’ operators.”
The gang also created fake versions of other types of apps popular with Android users such as porn apps, the Google Play app and Adobe Flash Player. In their analysis Trend Micro examined a total of 1,007 fake Google app versions, 994 of which were fake versions of the Google Play app. The remaining 13 were fake versions of other Google apps.
“The hackers used fake banking and other popular apps to victimize more than 4,000 South Korean Android mobile banking customers throughout 2013 and 2014,” according to a research report by Trend Micro. “They also used effective social engineering lures like “The Interview” to bait victims into installing their fake apps.”
Another example of a lure used by the gang was to attempt to scare users into clicking on malicious links via SMS phishing messages presented as messages from law enforcement.
“When clicked, however, the link installed a malicious app in their devices that communicated with designated C&C servers to listen for commands,” the report notes. “We first spotted these malware in September 2013 and continued to see them till April 2014, proving the steadfast nature of the threats.”
Last year, a report from Trend Micro noted that China’s underground market for mobile malware and malicious services is thriving, with everything ranging from spamming to SMS forwarding Trojans for sale.