Connect with us

Hi, what are you looking for?


Mobile & Wireless

MoqHao Banking Trojan Targets South Korean Android Users

A recently spotted Android banking Trojan targeting South Korean users via SMS phishing messages (smishing) was linked to an infection campaign from two years ago, McAfee security researchers reveal.

A recently spotted Android banking Trojan targeting South Korean users via SMS phishing messages (smishing) was linked to an infection campaign from two years ago, McAfee security researchers reveal.

The mobile phishing messages attempt to lure users into executing malware by claiming to link to a leaked private picture, or by posing as a Chrome update. Once the user clicks on the shortened link in the message, however, the banking Trojan dubbed MoqHao is installed.

Once a device has been compromised, the malware can send phishing SMS messages to the user’s contacts; can leak sensitive information, including received SMS messages; can install Android apps provided by the command and control (C&C) server; can execute remote commands and return results, and can gather sensitive information via a local Google phishing website, McAfee discovered.

During installation, the malware requests various permissions that allow it to perform its nefarious operations, such as call phone numbers, acccess contacts, and read text messages. Next, the threat requests admin privileges to achieve persistence, and displays the request window continuously, even if the user dismisses it.

MoqHao then dynamically registers a broadcast receiver for system events such as new package install, screen state, SMS messages, and more, which allows it to spy on the user activities and send device status information to the C&C. The malware also connects to the first-stage remote server and dynamically receives the IP for the second-stage server from the user profile page of Chinese search engine Baidu.

After connecting to this server, the malware sends a message containing device information such as: UUID, IMEI, Android version, device product name, build ID string, root status, SIM status, phone number, and registered accounts. Other details are periodically sent to the server, including: network operator and type (LTE, GPRS), MAC address, battery level, Wi-Fi signal level, device admin rights, screen on/off, ringer mode, and whether current package is ignoring battery optimization or not.

The Trojan checks infected devices for major Korean bank apps and downloads relevant fake or Trojanized versions of these programs if it finds them. Next, it alerts the victim that an update is available for the targeted app. Once the victim approves the update, the malicious app replaces the legitimate one.

Advertisement. Scroll to continue reading.

During analysis, however, the malware’s requests to download the malicious apps resulted in an error. According to McAfee, the functionality might not be implemented or not in use, given that infected users haven’t reported attempted installation of additional APK files.

The security researchers first observed Android/MoqHao in January, but that seemed more like a test version. Updated variants of the malware were observed in February and March, but the first non-test iteration emerged only in May.

The banking Trojan, the researchers say, appears connected to a May 2015 attack targeting users in South Korea via a phishing message in the default web browser. Although that message was very similar to those spreading Android/MoqHao and the two malware variants share some behavior and functionality, the threats have completely different code bases.

“The similarities between the 2015 and 2017 phishing campaigns suggests the same cybercriminals, who have shifted from DNS redirection attacks to a smishing campaign. The attackers are still targeting Chrome and getting the control server from a dynamic webpage while changing the code base of the initial dropper component as well as the dynamically loaded payload,” McAfee says.

Related: Android Malware Found on Google Play Abuses Accessibility Service

Related: SpyDealer Malware Steals Private Data From Popular Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.