A malicious campaign targeting mobile banking users in Iran is relying on hundreds of Android applications for credential and credit card information theft, mobile security firm Zimperium reports.
The campaign was brought to light in July, when Sophos reported on 40 malicious applications that circulated between December 2022 and May 2023, targeting the users of four Iranian banks, namely Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran.
The malicious apps were found to harvest banking login credentials and credit card data, to intercept SMS messages to bypass multi-factor authentication, and to hide their icons to prevent removal.
Masquerading as their legitimate counterparts available through the popular Iranian marketplace Cafe Bazaar, the applications were being distributed via phishing websites.
In a Tuesday report, Zimperium notes that the 40 applications were just the tip of the iceberg, as 245 other malicious applications linked to the same campaign have been uncovered, including 28 that had not been detected by the VirusTotal scanning engine.
“These samples can be directly linked to the same threat actors and represent two additional iterations of Iranian mobile banking malware since the original research. The first iteration is identical to what was previously reported but includes new targets, the second iteration includes many new capabilities and evasion techniques to make the attack more successful,” Zimperium says.
In addition to targeting the four banking applications, the samples in the first iteration check the infected devices for the presence of other apps as well, without actively targeting them, suggesting that the malware developers are planning to expand their attacks.
In total, the malicious software targets 12 banking applications, while also checking devices for the presence of cryptocurrency wallets, likely to start targeting them in the future.
The samples in the second iteration, Zimperium says, rely on Android’s accessibility services to display overlays for credential and credit card information theft, to grant themselves additional permissions, to prevent uninstallation, and to find and click on interface elements.
The attackers have set up Telegram channels to exfiltrate data to, as well as GitHub repositories to host a list of command-and-control (C&C) server URLs and phishing links, which allow them to quickly react to disruptions.
According to Zimperium, the malicious applications mainly target Xiaomi and Samsung devices, performing specific actions when models from these vendors are identified. However, the attackers are likely preparing attacks on iOS devices as well.
“The phishing sites used by this malware also verify if the page is opened by an iOS device. In that case, a website mimicking the iOS version of the app is served. At the moment, the iOS campaign could be under development, or distributed through an, as of yet, unidentified source,” Zimperium notes.