{
	"id": "dd4a2318-bbd8-46c2-a7bc-88c282ffe85f",
	"created_at": "2026-04-06T00:06:34.448804Z",
	"updated_at": "2026-04-10T03:20:19.616773Z",
	"deleted_at": null,
	"sha1_hash": "1cd7cb82fac5601e5ffa43e92181954a6656c394",
	"title": "Spyware Masquerading As Banking App Targets Koreans",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2336272,
	"plain_text": "Spyware Masquerading As Banking App Targets Koreans\r\nPublished: 2021-09-17 · Archived: 2026-04-05 17:18:32 UTC\r\nCyble's research on a phishing page spreading a fake version of the Woori Bank app for targeting Korean-speaking users.  \r\nDigital transactions and the use of Mobile Banking are growing exponentially – particularly due to the ongoing pandemic.\r\nThe increase in popularity of mobile banking has attracted the interest of Threat Actors (TAs), who plan on leveraging this\r\nsituation to steal information and money from users. Cybercriminals are also looking to compromise mobile\r\nphones which contain the highest amount of sensitive user information. \r\nA researcher has reported a phishing page linked to spreading Android malware in a Twitter post. Cyble\r\nResearch Labs has analyzed the page and found that the phishing page is targeting Korean-speaking users.  \r\nA screenshot of the fake page is shown in the figure below. \r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 1 of 16\n\nFigure 1: Phishing page used to spread the spyware\r\nUpon further analysis, we observed that on the phishing page, the TA is spreading a fake version of the Woori Bank\r\napp. Woori Bank is a multinational South Korean Bank headquartered in Seoul. The fake page offers the\r\nvictim a loan amount with extremely attractive interest rates to entice and mislead them into accepting the offer.  \r\nCyble Research Labs has performed a thorough analysis of the fake app and found that it is a variant of spyware. We also\r\nfound that the same spyware is spreading through other phishing pages as well. \r\nBased on our investigation, the spyware collects contacts, SMSs, call logs and audio and video files. Additionally,\r\nit performs other malicious activities such as enabling permissions without the need for user interaction, stealing credentials,\r\netc.  \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 2 of 16\n\nTechnical Analysis \r\nThe spyware shares the same icon of the WON App by Woori Bank as shown in the below figure. \r\nFigure 2: Comparison of original Won App and the fake app\r\nAPK Metadata Information \r\nAPK File Info \r\nAPP Name: Woori Bank (우리은행) \r\nPackage Name: com.fomta.c002 \r\nSHA256: ed7ef6718a6b6e7abf3bd96c72929ee9f1e9a4bfcd97429154141c7702093f36 \r\nUpon investigating the files inside the malware’s APK file, we observed the following:  \r\n1. There are two files with .dex extension in addition to the classes.dex file, which looks suspicious. Refer to Figure 3. \r\nFigure 3: APK File info\r\nUpon inspecting magic numbers of the two .dex files highlighted in above figure, we found the file type of both files are not\r\nof a DEX file.  \r\nMagic numbers are the first bits of a file that uniquely identify the type of file. \r\n2. 10 armv7-based native libraries present in APK file.  \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 3 of 16\n\nFigure 4: APK’s Native Libraries List\r\n3. Set of HTML files in the assets folder as shown in Figure 5. \r\nFigure 5: HTML Files in the APK\r\nManifest File Description \r\nThe malware requests 41 permissions, out of which attackers can leverage 22 permissions to collect victim’s personal\r\ninformation such as contacts, SMSs, call logs, etc. These dangerous permissions are listed in Table 1. \r\nPermission Name  Descrip\r\nACCESS_BACKGROUND_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION \r\nAccess\r\ndevice\r\nlocation\r\n(with th\r\nhelp of\r\nand Pho\r\nnetwork\r\nANSWER_PHONE_CALLS \r\nAllows\r\napp to\r\nanswer\r\nphone c\r\nCAMERA \r\nAccess\r\ndevice’s\r\ncamera \r\nGET_TASKS  Fetch\r\ncurrentl\r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 4 of 16\n\nrunning\r\nand\r\nprocesse\r\nPROCESS_OUTGOING_CALLS \r\nAllows\r\napp to\r\nprocess\r\noutgoin\r\ncalls \r\nREAD_CONTACTS \r\nAccess\r\nphone\r\ncontacts\r\nREAD_EXTERNAL_STORAGE \r\nAccess\r\ndevice\r\nexternal\r\nstorage \r\nWRITE_EXTERNAL_STORAGE \r\nModify\r\ndevice\r\nexternal\r\nstorage \r\nREAD_PHONE_STATE  \r\nAccess\r\nphone s\r\nand\r\ninforma\r\nRECORD_AUDIO \r\nAllows\r\nrecord a\r\nusing de\r\nmicroph\r\nCALL_PHONE \r\nPerform\r\nwithout\r\ninterven\r\nREAD_CALL_LOG \r\nAccess\r\nuser’s c\r\nlogs \r\nREAD_SMS \r\nAccess\r\nuser’s S\r\nstored in\r\ndevice \r\nREQUEST_INSTALL_PACKAGES \r\nInstall\r\napplicat\r\nwithout\r\ninteracti\r\nRECEIVE_SMS  Fetch an\r\nprocess\r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 5 of 16\n\nSMS\r\nmessage\r\nSEND_SMS \r\nAllows\r\napp to s\r\nSMS\r\nmessage\r\nSYSTEM_ALERT_WINDOW \r\nAllows\r\ndisplay\r\nsystem a\r\nover oth\r\napps \r\nWRITE_CALL_LOG \r\nModify\r\nDelete C\r\nLogs sto\r\nin the\r\ndatabase\r\nWRITE_CONTACTS \r\nModify\r\nDelete\r\nContact\r\nStored i\r\nDatabas\r\nTable1: Permissions List\r\nUpon inspecting the Android components in the fake app’s manifest file, we identified the following entry point classes: \r\n1. com.ppnt.ccmd.aavv.Nforg –  The class which executes first when the malware is initiated by the user. The\r\ndeclaration of the application subclass in the manifest file is shown in below figure. \r\nFigure 6: Declaration of Application Subclass in Manifest \r\n2. com.fomta.c002.MainActivity – The activity class which executes and displays the starting page of the app. Launcher\r\nactivity declaration is shown in Figure 7. \r\nFigure 7: Declaration of Launcher Activity in Manifest \r\nIn the manifest file, the malware has declared a service for accessing Android’s Accessibility Service.  \r\nFigure 8: Declaration of Accessibility Service in Manifest\r\nAccessibility Service is a background service running in the device with the purpose of aiding users with disabilities.  \r\nMalware such as Banking trojans, Remote Access Trojans (RATs) and Spyware abuse this service to intercept and monitor\r\nall activities happening on the device screen. An example of this is the ability to intercept the credentials being entered by\r\nthe user on any app. \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 6 of 16\n\nMost of the component classes declared in the Manifest file are not present in the APK. As shown in the below figure, the\r\nlauncher activity, Accessibility service, and several other classes are also missing in the APK. \r\nFigure 9: Classes Missing in the decompiled APK\r\nSource Code Analysis \r\nUpon further analysis, we observed that the malware authors used packer software to conceal the actual behavior of the\r\nspyware. In this case, the malware is packed using custom packer software. Additionally, the malware also uses multiple\r\nobfuscation techniques to evade detection and to restrict reverse engineering. \r\nPackers are a type of software used by developers to hide important code from reverse engineering. The code\r\nwill only unpack during the execution of the application. \r\nUnpack the DEX Files \r\nOur investigation on the application subclass led us to a code where the spyware filters\r\nand passes the two suspicious DEX files, secret_classes.dex and secret_class2.dex files.  \r\nThe two files are passed to a function named decrypt which is part of a native library, libdn_ssl.so. The code flow used in the\r\nmalware to decrypt the DEX files is shown in the below figure. \r\nFigure 10: Code flow to unpack DEX files\r\nUpon analyzing the libdn_ssl.so file, we found that the DEX files are encrypted using the AES-128-bit encryption technique.\r\nThe code used for decryption is shown in Figure 11. The key used in the encryption is also highlighted below. \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 7 of 16\n\nFigure 11: Code in a native library used to Decrypt DEX Files\r\nWe decrypted the DEX and files using the above findings. Upon decryption, we observed that the missing classes are present\r\nin the unpacked DEX files. We also found that the spyware uses anti-sandboxing techniques to stay undetected. \r\nAnti-Sandbox Techniques \r\nThe malware performs anti-sandboxing techniques in the initial stages of the execution (after unpacking the DEX code) to\r\nhide its malicious behavior. The below code depicts the checks performed by the malware in the initial stages of execution.\r\nThe malware does not execute if the device is a test environment as shown in the below figure. \r\nFigure 12: Code for Anti-sandboxing checks\r\nThe anti-sandbox techniques used are: \r\n1. Checks for test device (checks for the presence of adb): adb is enabled in most of the test devices.  The code used by\r\nthe spyware to check adb is shown in below figure. \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 8 of 16\n\nFigure 13: Code to check for Test Device\r\n2. Anti-Emulator Checks: Checks for emulator driver files and device fingerprints as shown in the Figure 14. \r\nFigure 14: Code to check for emulator drivers and fingerprints\r\n3. Device root check: Check for the presence of rooting software in device as shown below. \r\nFigure 15: Code to check for rooting software’s\r\n4. Proxy and VPN Checks: Malware analyst uses proxies and VPNs to capture the traffic of the malware. The code used\r\nto check for the presence of this technique is shown in the below figure. \r\nFigure 16: Code to check for VPN and Proxies \r\n5. Device Language: The spyware verifies whether the device uses Korean language as shown in the code below. \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 9 of 16\n\nFigure 17: Code to check for the device language\r\nThe spyware checks for the Korean language used in the victim’s device which concludes that the malware is created to\r\ntarget Korean-speaking users. \r\nThe fake application reveals the spyware behavior only if the malware identifies the device is not a sandboxing\r\nenvironment.  \r\nSpyware Behavior \r\nThe malware prompts the user to enable Accessibility permission on start, post the anti-sandboxing check. Upon enabling\r\nthe permission, the malware has the capability to enable all other permissions requested with the help of the Accessibility\r\nservice. The code used to request the Accessibility permission is shown below. \r\nFigure 18: Code to Request User to enable Accessibility Permission\r\nThe code used to enable all other permissions is shown in the figure below. \r\nFigure 19: Code to enable all permission of spyware \r\nThe spyware also displays the HTML files in the assets folder using a WebView. Upon analyzing the HTML files, we\r\nobserved that the spyware creates a fake webpage to collect user information. The below figure shows the starting webpage\r\nand the other web pages used to collect user information. \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 10 of 16\n\nFigure 20: Fake Webpage displays on app start\r\nUsing the fake webpage, the spyware collects information such as name, Resident Registration Number (RRN), company\r\nname, phone number, etc. \r\nUpon further analysis, we observed that the malware collects information from the victim’s device such as: \r\nContacts from device phonebook  \r\nSMSs \r\nCall Logs  \r\nAudio and Video recording \r\nGPS Location \r\nApplications List \r\nScreen Content as text  \r\nThe malware uses a service called, com.fomta.c002.service. LInitService, to perform the spyware activity.  \r\nThe spyware collects information based on the commands from the TA’s Command \u0026 Control (C\u0026C) server. \r\nThe below figure shows the code to collect contacts from the victim’s device phonebook. \r\nFigure 21: Code to collect Contacts from the victim device \r\nThe spyware also constantly monitors victim’s activities such as: \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 11 of 16\n\nIntercepting phone calls and recording phone call audio  \r\nReceiving SMSs  \r\nThe malware sends SMS messages based on commands from C\u0026C, shared by the TA. The code used to send SMS\r\nmessages is shown in the figure below. \r\nFigure 22: Code to send SMS message based on C\u0026C command \r\nThe malware also has the capability to make a phone call without user interaction as shown in the Figure 23. \r\nFigure 23: Code to make phone call based on C\u0026C command\r\nThe malware encrypts the collected data and uploads it to the C\u0026C server based on the commands from the TA. The code to\r\nencrypt the data before the upload is shown in Figure 24. \r\nFigure 24: Code to Encrypt Upload Data\r\nThe spyware uses two different C\u0026C server IPs.  \r\n1. C\u0026C IP1: hxxp://125[.]227.0.22/: Encrypted and stored in a native library, libfirebase.so \r\n2. C\u0026C IP2: hxxp://45[.]115.127.106/: Encrypted and stored in a GitHub account \r\nGitHub URL: hxxps://raw[.]githubusercontent.com/maxw201653/dest/main/pwdText \r\nC\u0026C IP1 is encrypted using AES-128-bit encryption and Base64. The code used to decrypt the IP is shown in the below\r\nfigure. \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 12 of 16\n\nFigure 25: Code to decrypt C\u0026C server IP1\r\nFigure 26 shows the code used to retrieve the C\u0026C IP2 from the GitHub repository. \r\nFigure 26: Code to Retrieve encrypted C\u0026C IP2 URL from GitHub\r\nThe code used by the spyware to decrypt the C\u0026C IP2 is shown in the below figure. \r\nFigure 27: Code to decrypt C\u0026C IP2\r\nResilience \r\nThe malware has registered listeners for the victim’s device events and initiates the spyware\r\nactivity accordingly. These events include BOOT_COMPLETED, NEW_OUTGOING_CALL, etc. The below figure\r\nshows one such listener and events registered. \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 13 of 16\n\nFigure 28: Declaration of the Listener and Events registered for resilience\r\nThe fake application invokes the LInitService, as shown in the figure below. This is the service that initiates the spyware\r\nactivity. \r\nFigure 29: Code to initiate spyware activity based on device events \r\nCommands \r\nThe TA sends the commands as integer values and the spyware translates it to the commands as shown in Figure 30. \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 14 of 16\n\nFigure 30: Code to translate commands from C\u0026C\r\nConclusion \r\nAs per our observations, during the Covid-19 pandemic, there has been a substantial increase in malware targeting financial\r\nservices. Some notable examples are Aberebot, S.O.V.A., etc. This spyware is one of the latest amongst them.  \r\nThe TA uses sophisticated techniques to evade detection and infect multiple users. Identifying phishing pages and fake\r\napplications is a best practice for not being a victim of this type of malware.   \r\nOur Recommendations\r\nWe have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:   \r\n1. If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.\r\n2. Use the shared IoCs to monitor and block the malware infection. \r\n3. Keep your anti-virus software updated to detect and remove malicious software. \r\n4. Keep your Operating System and applications updated to the latest versions. \r\n5. Use strong passwords and enable two-factor authentication.\r\n6. Download and install software only from registered app stores.\r\nMITRE ATT\u0026CK® Techniques \r\nTactic   Technique ID   Technique Name \r\nDefense Evasion \r\nT1406\r\nT1444 \r\nT1581 \r\nT1575 \r\nObfuscated Files or Information \r\nMasquerade as Legitimate Application \r\nGeofencing \r\nNative Code \r\nCredential Access  T1412  Capture SMS Messages \r\n Discovery \r\nT1421 \r\nT1430 \r\nT1424 \r\nT1418  \r\nSystem Network Connections Discovery  \r\nLocation Tracking \r\nProcess Discovery \r\nApplication Discovery \r\n Collection \r\nT1507 \r\nT1412 \r\nT1432 \r\nT1429 \r\nNetwork Information Discovery  \r\nCapture SMS Messages  \r\nAccess Contact List \r\nCapture Audio \r\nCommand and Control \r\nT1571\r\nT1573 \r\nNon-Standard Port \r\nEncrypted Channel \r\nImpact  T1447  Delete Device Data \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\ned7ef6718a6b6e7abf3bd96c72929ee9f1e9a4bfcd97429154141c7702093f36  SHA256 \r\nHash of the\r\nAPK sample \r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 15 of 16\n\nb4d3d4519427eec34c709a6d6ca43b9001fcc5802a71c8d3afa45cd4f3505626  SHA256 \r\nHash of the\r\nsecond APK\r\nsample \r\n14264416ad72a75ac2e2a399a9b19b7533bcf33d8427bea0241a317f513acb50  SHA256 \r\nHash of the\r\nthird APK\r\nsample \r\n8dbc872f284fbe5eee635aab96a08bc6441ac10f3a5b8eb3aab712b52ca73534  SHA256 \r\nHash of the\r\nfourth APK\r\nsample \r\nhxxp://114[.]47.93.211  URL \r\nPhishing page\r\nused to\r\ndeliver first\r\nAPK \r\nhxxp://61.227.36[.]150  URL \r\nPhishing page\r\nused\r\nto deliver\r\nsecond and\r\nthird APK \r\nhxxp://125[.]227.0.22/  URL  C\u0026C URL1 \r\nhxxp://45[.]115.127.106/  URL  C\u0026C URL2 \r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure\r\nin the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by\r\nY Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best\r\nCybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,\r\nand India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  \r\nSource: https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nhttps://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/"
	],
	"report_names": [
		"sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users"
	],
	"threat_actors": [],
	"ts_created_at": 1775433994,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1cd7cb82fac5601e5ffa43e92181954a6656c394.pdf",
		"text": "https://archive.orkl.eu/1cd7cb82fac5601e5ffa43e92181954a6656c394.txt",
		"img": "https://archive.orkl.eu/1cd7cb82fac5601e5ffa43e92181954a6656c394.jpg"
	}
}