Connect with us

Hi, what are you looking for?


Malware & Threats

Hundreds of Malicious Android Apps Target Iranian Mobile Banking Users

Zimperium has identified over 200 information-stealing Android applications targeting mobile banking users in Iran.

A malicious campaign targeting mobile banking users in Iran is relying on hundreds of Android applications for credential and credit card information theft, mobile security firm Zimperium reports.

The campaign was brought to light in July, when Sophos reported on 40 malicious applications that circulated between December 2022 and May 2023, targeting the users of four Iranian banks, namely Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran.

The malicious apps were found to harvest banking login credentials and credit card data, to intercept SMS messages to bypass multi-factor authentication, and to hide their icons to prevent removal.

Masquerading as their legitimate counterparts available through the popular Iranian marketplace Cafe Bazaar, the applications were being distributed via phishing websites.

In a Tuesday report, Zimperium notes that the 40 applications were just the tip of the iceberg, as 245 other malicious applications linked to the same campaign have been uncovered, including 28 that had not been detected by the VirusTotal scanning engine.

“These samples can be directly linked to the same threat actors and represent two additional iterations of Iranian mobile banking malware since the original research. The first iteration is identical to what was previously reported but includes new targets, the second iteration includes many new capabilities and evasion techniques to make the attack more successful,” Zimperium says.

In addition to targeting the four banking applications, the samples in the first iteration check the infected devices for the presence of other apps as well, without actively targeting them, suggesting that the malware developers are planning to expand their attacks.

In total, the malicious software targets 12 banking applications, while also checking devices for the presence of cryptocurrency wallets, likely to start targeting them in the future.

Advertisement. Scroll to continue reading.

The samples in the second iteration, Zimperium says, rely on Android’s accessibility services to display overlays for credential and credit card information theft, to grant themselves additional permissions, to prevent uninstallation, and to find and click on interface elements.

The attackers have set up Telegram channels to exfiltrate data to, as well as GitHub repositories to host a list of command-and-control (C&C) server URLs and phishing links, which allow them to quickly react to disruptions.

According to Zimperium, the malicious applications mainly target Xiaomi and Samsung devices, performing specific actions when models from these vendors are identified. However, the attackers are likely preparing attacks on iOS devices as well.

“The phishing sites used by this malware also verify if the page is opened by an iOS device. In that case, a website mimicking the iOS version of the app is served. At the moment, the iOS campaign could be under development, or distributed through an, as of yet, unidentified source,” Zimperium notes.

Related: Xenomorph Android Banking Trojan Targeting Users in US, Canada

Related: New Android Trojans Infected Many Devices in Asia via Google Play, Phishing

Related: ‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.