{ "id": "fbd86522-0f99-415c-a14b-305e0c16dfa3", "created_at": "2026-04-06T00:07:15.566475Z", "updated_at": "2026-04-10T03:30:32.712977Z", "deleted_at": null, "sha1_hash": "09db2ff01548cb6ab96227d63e3279489ac7acfe", "title": "Fake e-shops on the prowl for banking credentials using Android malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 521996, "plain_text": "Fake e-shops on the prowl for banking credentials using Android\r\nmalware\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 21:37:59 UTC\r\nThe popularity of online shopping has been growing during the past few years, a trend accelerated by the pandemic. To\r\nmake this already convenient way of never having to leave the couch to buy new things even more convenient, people are\r\nincreasingly using their smartphones instead of computers to shop: in Q1 2021, smartphones accounted for 69% of all retail\r\nwebsite visits worldwide, and smartphone purchases made up 57% of online shopping orders. A noteworthy aspect of\r\nbuying goods and services via a mobile device is that 53% of smartphone users do it from vendor-specific applications.\r\nSeeking the opportunity to make a profit off this behavior, cybercriminals exploit it by tricking eager shoppers into\r\ndownloading malicious applications. In an ongoing campaign targeting the customers of eight Malaysian banks, threat actors\r\nare trying to steal banking credentials by using fake websites that pose as legitimate services, sometimes outright copying\r\nthe original. These websites use similar domain names to the services they are impersonating the better to attract\r\nunsuspecting victims.\r\nCampaign overview\r\nThis campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service\r\nMaid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a\r\nmalicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered\r\nafter its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans\r\nattributed to this campaign.\r\nOn top of that, ESET researchers found four more fake websites. All seven websites impersonated services that are only\r\navailable in Malaysia: six of them, Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, offer\r\ncleaning services, and the seventh is a pet store named PetsMore. The side-by-side comparison of the legitimate and copycat\r\nversions of Grabmaid and PetsMore can be seen in Figures 1 and 2, respectively.\r\nFigure 1. Grabmaid: legitimate website on the left, copycat on the right\r\nFigure 2. PetsMore: legitimate website on the left, copycat on the right\r\nThe copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to\r\ndownload apps from Google Play. However, clicking these buttons does not actually lead to the Google Play store, but to\r\nservers under the threat actors’ control. To succeed, this attack requires the intended victims to enable the non-default\r\n“Install unknown apps” option on their devices. Interestingly, five of the seven legitimate versions of these services do not\r\neven have an app available on Google Play.\r\nTo appear legitimate, the applications ask the users to sign in after starting them up; there is however no account validation\r\non the server side – the software takes any input from the user and always declares it correct. Keeping up the appearance of\r\nan actual e-shop, the malicious applications pretend to offer goods and services for purchase while matching the interface of\r\nthe original stores (see Figure 3 for a screenshot of the shopping cart in one of the malicious apps). When the time comes to\r\npay for the order, the victims are presented with payment options – they can pay either by credit card or by transferring the\r\nrequired amount from their bank accounts. During our research, it was not possible to pick the credit card option.\r\nhttps://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/\r\nPage 1 of 6\n\nFigure 3. The shopping cart in a malicious application\r\nAs we already mentioned, the goal of the malware operators is to obtain the banking credentials of their victims. After\r\npicking the direct transfer option, victims are presented a fake FPX payment page and asked to choose their bank out of the\r\neight Malaysian banks provided, and then enter their credentials. The targeted banks are Maybank, Affin Bank, Public Bank\r\nBerhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank, as seen in Figure 4.\r\nFigure 4. Targeted banks\r\nAfter unfortunate victims submit their banking credentials, they receive an error message informing them that the user ID or\r\npassword they provided was invalid (Figure 5). At this point, the entered credentials have been sent to the malware\r\noperators, as Figure 6 shows.\r\nhttps://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/\r\nPage 2 of 6\n\nFigure 5. Error message displayed to the victim after credentials are exfiltrated\r\nFigure 6. Credentials being sent to the attacker’s server\r\nTo make sure the threat actors can get into their victims’ bank accounts, the fake e-shop applications also forward all SMS\r\nmessages received by the victim to the operators in case they contain Two-Factor Authentication (2FA) codes sent by the\r\nhttps://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/\r\nPage 3 of 6\n\nbank (see Figure 7).\r\nFigure 7. All received SMS messages are forwarded to the attacker’s server\r\nMalware description\r\nThe observed malware is rather minimalistic: it is designed to request only one user permission, which is to read received\r\nSMS messages. Its goal is to phish for banking credentials and forward 2FA SMS messages from the compromised device to\r\nthe operators. Lacking the functionality to remove SMS messages from the device, the malware cannot hide that somebody\r\nis trying to get into the victim’s bank account.\r\nSo far, the malware has been targeting only Malaysia – both the e-shops it impersonates and the banks whose customers’\r\ncredentials it is after are Malaysian, and the prices in the applications are all displayed in the local currency, the Malaysian\r\nRinggit.\r\nOne of the services impersonated in the campaign, MaidACall, has already warned its users of this fraudulent campaign via\r\na Facebook post (see Figure 8). The rest have not publicly commented on the issue yet.\r\nFigure 8. Warning post by a service that was impersonated during the campaign\r\nWe have found the same malicious code in all three analyzed applications, leading us to conclude that they can all be\r\nattributed to the same threat actor.\r\nTakeaways\r\nTo protect yourself against this type of threat, first, try to ensure that you are using legitimate websites to shop:\r\nVerify if the website is secure, i.e., its URL begins with https://. Some browsers might even refuse to open non-HTTPS websites and explicitly warn users or provide an option to enable HTTPS-only mode.\r\nBe wary of clicking ads and do not follow paid search engine results: it is possible that they do not lead to the official\r\nwebsite\r\nApart from looking out for fake websites, here are some other useful tips to enjoy a safer online shopping experience on\r\nyour smartphone:\r\nPay attention to the source of applications you are downloading. Make sure that you are actually redirected to the\r\nGoogle Play store when getting an application\r\nUse software or hardware 2FA instead of SMS when possible\r\nUse mobile security solutions to detect harmful websites and malicious apps\r\nConclusion\r\nThe observed campaign is a fake e-shop scheme targeting the banking credentials of Android users in Malaysia. It exploits\r\nthe popularity of using smartphones to shop online. Instead of phishing for banking credentials on websites, the threat actors\r\nhave introduced Android applications into the chain of compromise, thus making sure they have access to 2FA SMS\r\nmessages the victim is likely to receive. The scheme relies on using ads to lure potential victims into accessing copycat\r\nhttps://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/\r\nPage 4 of 6\n\nversions of legitimate websites. Once there, a fake Google Play download button directs them towards a malicious\r\napplication distributed by the malware operators via a third-party site.\r\nWhile the campaign targets Malaysia exclusively for now, it might expand to other countries and banks later on. At this time,\r\nthe attackers are after banking credentials, but they may also enable the theft of credit card information in the future.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIndicators of compromise (IoCs)\r\nSamples\r\nFirst seen MD5 SHA-1 SHA-256\r\n2022-01-04 CB66D916831DE128CCB2FCD458067A7D ABC7F3031BEC7CADD4384D49750665A1899FA3D4 9B4A0019E7743A46B49\r\n2022-02-23 8183862465529F6A46AED60E1B2EAE52 BEDDFE5A26811DCCCA7938D00686F8F745424F57 E949BAC52D39B6E207A\r\n2022‑02‑08 B6845141EC0F4665A90FB16598F56FAC 1C984FB282253A64F11EE4576355C1D5EFBEE772 D1017952D1EF0CEEC6C\r\n2022-01-03 43727320E8BF756FE18DB37483DAD0A0 E39C485F24D239867287DCD468FC813FDB5B7DB6 5F8A54D54E25400F52C\r\n2022‑02‑09 C51BC547A40034F4828C72F37F2F1F39 1D33F53E2E9268874944C2F52E31CCAF2BF46A93 D8BE8F7B8B224FCA2B\r\n2022-01-08 4BEC6A07E881DB1A950367BEB1702ADA 9A5A57BF49DBBEF2E66FEE98E5C97B0276D03D28 A5C7373BE95571418C4\r\n2022-01-17 4FD6255562B2A29C974235FD21B8D110 BA78B1177C3E2A569A665611E7684BCEEAF2168F DFF93FD8F3BC2694496\r\n2022-01-30 C7DCBD2B7F147A6450C62A8D67207465 0E910AD1C33BEF86C9FDBBE4654421398E694329 A091B15F008B117167A\r\n2021-10-09 71341FC2958E65D208F2770185C61D7A 5237D3FAE84BB5D611C80338CF02EB3793C30F02 4904C26E90DC4D18AD\r\n2021-12-13 CF3B20173330FEA53E911A229A38A4BC B42CD5EC736FCC0D51A1D05652631BE50C9456A0 6DB2D526C3310FAD6C\r\nNetwork\r\nIP Provider First seen Details\r\n185.244.150[.]159 Dynadot 2022-01-20 19:36:29\r\ntoken2[.]club\r\nDistribution website\r\n194.195.211[.]26 Hostinger 2022-01-08 14:33:32\r\ngrabamaid-my[.]online\r\nDistribution website\r\n172.67.177[.]79 Hostinger 2022-01-03 08:20:50\r\nmaidacalls[.]online\r\nDistribution website\r\n172.67.205[.]26 Hostinger 2022-01-03 13:40:24\r\npetsmore[.]online\r\nDistribution website\r\n172.67.174[.]195 Hostinger 2022-02-23 00:45:06\r\ncleangmy[.]site\r\nDistribution website\r\nN/A Hostinger 2022-01-24 17:40:14\r\nmy-maid4us[.]site\r\nDistribution website\r\nN/A Hostinger 2022-01-27 14:22:10\r\nyourmaid[.]online\r\nDistribution website\r\nhttps://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/\r\nPage 5 of 6\n\nIP Provider First seen Details\r\n194.195.211[.]26 Hostinger 2021-11-19 05:35:01\r\nmuapks[.]online\r\nC\u0026C server\r\n194.195.211[.]26 Hostinger 2021-11-19 05:23:22\r\ngrabsapks[.]online\r\nC\u0026C server\r\n104.21.19[.]184 Hostinger 2022-01-20 03:47:48\r\ngrabmyapks90[.]online\r\nC\u0026C server\r\n104.21.29[.]168 Hostinger 2021-12-22 12:35:42\r\nm4apks[.]online\r\nC\u0026C server\r\n172.67.208[.]54 Hostinger 2022-01-17 09:22:02\r\nmaid4uapks90[.]online\r\nC\u0026C server\r\n172.67.161[.]142 Hostinger 2022-01-22 06:42:37\r\ngrabmaidsapks80[.]online\r\nC\u0026C server\r\n2.57.90[.]16 Hostinger 2022-01-10 23:51:29\r\npuapks[.]online\r\nC\u0026C server\r\n124.217.246[.]203 Hostinger 2021-09-15 03:50:28\r\n124.217.246[.]203:8099\r\nC\u0026C server\r\n172.67.166[.]180\u003e Hostinger 2021-12-24 15:54:34\r\nmeapks[.]xyz\r\nC\u0026C server\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 10 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access\r\nT1444 Masquerade as\r\nLegitimate Application\r\nFake websites provide links to download malicious Android\r\napps.\r\nT1476\r\nDeliver Malicious App\r\nvia Other Means\r\nMalicious apps are delivered via direct download links behind\r\nfake Google Play buttons.\r\nCredential\r\nAccess\r\nT1411 Input Prompt Malware displays fake bank log in screens to harvest\r\ncredentials.\r\nT1412 Capture SMS Messages Malware captures received SMS messages so it has 2FA codes\r\nfor bank logins.\r\nCollection T1412 Capture SMS Messages Malware captures received SMS messages that might contain\r\nother interesting data besides 2FA codes for bank logins.\r\nExfiltration T1437\r\nStandard Application\r\nLayer Protocol\r\nMalicious code exfiltrates credentials and SMS messages over\r\nstandard HTTPS protocol.\r\nSource: https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/\r\nhttps://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/" ], "report_names": [ "fake-eshops-prowl-banking-credentials-android-malware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434035, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09db2ff01548cb6ab96227d63e3279489ac7acfe.pdf", "text": "https://archive.orkl.eu/09db2ff01548cb6ab96227d63e3279489ac7acfe.txt", "img": "https://archive.orkl.eu/09db2ff01548cb6ab96227d63e3279489ac7acfe.jpg" } }