Spyware Masquerading As Banking App Targets Koreans
Published: 2021-09-17 · Archived: 2026-04-05 17:18:32 UTC
Cyble's research on a phishing page spreading a fake version of the Woori Bank app for targeting Korean-speaking users.  
Digital transactions and the use of Mobile Banking are growing exponentially – particularly due to the ongoing pandemic.
The increase in popularity of mobile banking has attracted the interest of Threat Actors (TAs), who plan on leveraging this
situation to steal information and money from users. Cybercriminals are also looking to compromise mobile
phones which contain the highest amount of sensitive user information. 
A researcher has reported a phishing page linked to spreading Android malware in a Twitter post. Cyble
Research Labs has analyzed the page and found that the phishing page is targeting Korean-speaking users.  
A screenshot of the fake page is shown in the figure below. 
World's Best AI-Native Threat Intelligence
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 1 of 16

Figure 1: Phishing page used to spread the spyware
Upon further analysis, we observed that on the phishing page, the TA is spreading a fake version of the Woori Bank
app. Woori Bank is a multinational South Korean Bank headquartered in Seoul. The fake page offers the
victim a loan amount with extremely attractive interest rates to entice and mislead them into accepting the offer.  
Cyble Research Labs has performed a thorough analysis of the fake app and found that it is a variant of spyware. We also
found that the same spyware is spreading through other phishing pages as well. 
Based on our investigation, the spyware collects contacts, SMSs, call logs and audio and video files. Additionally,
it performs other malicious activities such as enabling permissions without the need for user interaction, stealing credentials,
etc.  
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 2 of 16

Technical Analysis 
The spyware shares the same icon of the WON App by Woori Bank as shown in the below figure. 
Figure 2: Comparison of original Won App and the fake app
APK Metadata Information 
APK File Info 
APP Name: Woori Bank (우리은행) 
Package Name: com.fomta.c002 
SHA256: ed7ef6718a6b6e7abf3bd96c72929ee9f1e9a4bfcd97429154141c7702093f36 
Upon investigating the files inside the malware’s APK file, we observed the following:  
1. There are two files with .dex extension in addition to the classes.dex file, which looks suspicious. Refer to Figure 3. 
Figure 3: APK File info
Upon inspecting magic numbers of the two .dex files highlighted in above figure, we found the file type of both files are not
of a DEX file.  
Magic numbers are the first bits of a file that uniquely identify the type of file. 
2. 10 armv7-based native libraries present in APK file.  
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 3 of 16

Figure 4: APK’s Native Libraries List
3. Set of HTML files in the assets folder as shown in Figure 5. 
Figure 5: HTML Files in the APK
Manifest File Description 
The malware requests 41 permissions, out of which attackers can leverage 22 permissions to collect victim’s personal
information such as contacts, SMSs, call logs, etc. These dangerous permissions are listed in Table 1. 
Permission Name  Descrip
ACCESS_BACKGROUND_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION 
Access
device
location
(with th
help of
and Pho
network
ANSWER_PHONE_CALLS 
Allows
app to
answer
phone c
CAMERA 
Access
device’s
camera 
GET_TASKS  Fetch
currentl
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 4 of 16

running
and
processe
PROCESS_OUTGOING_CALLS 
Allows
app to
process
outgoin
calls 
READ_CONTACTS 
Access
phone
contacts
READ_EXTERNAL_STORAGE 
Access
device
external
storage 
WRITE_EXTERNAL_STORAGE 
Modify
device
external
storage 
READ_PHONE_STATE  
Access
phone s
and
informa
RECORD_AUDIO 
Allows
record a
using de
microph
CALL_PHONE 
Perform
without
interven
READ_CALL_LOG 
Access
user’s c
logs 
READ_SMS 
Access
user’s S
stored in
device 
REQUEST_INSTALL_PACKAGES 
Install
applicat
without
interacti
RECEIVE_SMS  Fetch an
process
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 5 of 16

SMS
message
SEND_SMS 
Allows
app to s
SMS
message
SYSTEM_ALERT_WINDOW 
Allows
display
system a
over oth
apps 
WRITE_CALL_LOG 
Modify
Delete C
Logs sto
in the
database
WRITE_CONTACTS 
Modify
Delete
Contact
Stored i
Databas
Table1: Permissions List
Upon inspecting the Android components in the fake app’s manifest file, we identified the following entry point classes: 
1. com.ppnt.ccmd.aavv.Nforg –  The class which executes first when the malware is initiated by the user. The
declaration of the application subclass in the manifest file is shown in below figure. 
Figure 6: Declaration of Application Subclass in Manifest 
2. com.fomta.c002.MainActivity – The activity class which executes and displays the starting page of the app. Launcher
activity declaration is shown in Figure 7. 
Figure 7: Declaration of Launcher Activity in Manifest 
In the manifest file, the malware has declared a service for accessing Android’s Accessibility Service.  
Figure 8: Declaration of Accessibility Service in Manifest
Accessibility Service is a background service running in the device with the purpose of aiding users with disabilities.  
Malware such as Banking trojans, Remote Access Trojans (RATs) and Spyware abuse this service to intercept and monitor
all activities happening on the device screen. An example of this is the ability to intercept the credentials being entered by
the user on any app. 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 6 of 16

Most of the component classes declared in the Manifest file are not present in the APK. As shown in the below figure, the
launcher activity, Accessibility service, and several other classes are also missing in the APK. 
Figure 9: Classes Missing in the decompiled APK
Source Code Analysis 
Upon further analysis, we observed that the malware authors used packer software to conceal the actual behavior of the
spyware. In this case, the malware is packed using custom packer software. Additionally, the malware also uses multiple
obfuscation techniques to evade detection and to restrict reverse engineering. 
Packers are a type of software used by developers to hide important code from reverse engineering. The code
will only unpack during the execution of the application. 
Unpack the DEX Files 
Our investigation on the application subclass led us to a code where the spyware filters
and passes the two suspicious DEX files, secret_classes.dex and secret_class2.dex files.  
The two files are passed to a function named decrypt which is part of a native library, libdn_ssl.so. The code flow used in the
malware to decrypt the DEX files is shown in the below figure. 
Figure 10: Code flow to unpack DEX files
Upon analyzing the libdn_ssl.so file, we found that the DEX files are encrypted using the AES-128-bit encryption technique.
The code used for decryption is shown in Figure 11. The key used in the encryption is also highlighted below. 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 7 of 16

Figure 11: Code in a native library used to Decrypt DEX Files
We decrypted the DEX and files using the above findings. Upon decryption, we observed that the missing classes are present
in the unpacked DEX files. We also found that the spyware uses anti-sandboxing techniques to stay undetected. 
Anti-Sandbox Techniques 
The malware performs anti-sandboxing techniques in the initial stages of the execution (after unpacking the DEX code) to
hide its malicious behavior. The below code depicts the checks performed by the malware in the initial stages of execution.
The malware does not execute if the device is a test environment as shown in the below figure. 
Figure 12: Code for Anti-sandboxing checks
The anti-sandbox techniques used are: 
1. Checks for test device (checks for the presence of adb): adb is enabled in most of the test devices.  The code used by
the spyware to check adb is shown in below figure. 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 8 of 16

Figure 13: Code to check for Test Device
2. Anti-Emulator Checks: Checks for emulator driver files and device fingerprints as shown in the Figure 14. 
Figure 14: Code to check for emulator drivers and fingerprints
3. Device root check: Check for the presence of rooting software in device as shown below. 
Figure 15: Code to check for rooting software’s
4. Proxy and VPN Checks: Malware analyst uses proxies and VPNs to capture the traffic of the malware. The code used
to check for the presence of this technique is shown in the below figure. 
Figure 16: Code to check for VPN and Proxies 
5. Device Language: The spyware verifies whether the device uses Korean language as shown in the code below. 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 9 of 16

Figure 17: Code to check for the device language
The spyware checks for the Korean language used in the victim’s device which concludes that the malware is created to
target Korean-speaking users. 
The fake application reveals the spyware behavior only if the malware identifies the device is not a sandboxing
environment.  
Spyware Behavior 
The malware prompts the user to enable Accessibility permission on start, post the anti-sandboxing check. Upon enabling
the permission, the malware has the capability to enable all other permissions requested with the help of the Accessibility
service. The code used to request the Accessibility permission is shown below. 
Figure 18: Code to Request User to enable Accessibility Permission
The code used to enable all other permissions is shown in the figure below. 
Figure 19: Code to enable all permission of spyware 
The spyware also displays the HTML files in the assets folder using a WebView. Upon analyzing the HTML files, we
observed that the spyware creates a fake webpage to collect user information. The below figure shows the starting webpage
and the other web pages used to collect user information. 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 10 of 16

Figure 20: Fake Webpage displays on app start
Using the fake webpage, the spyware collects information such as name, Resident Registration Number (RRN), company
name, phone number, etc. 
Upon further analysis, we observed that the malware collects information from the victim’s device such as: 
Contacts from device phonebook  
SMSs 
Call Logs  
Audio and Video recording 
GPS Location 
Applications List 
Screen Content as text  
The malware uses a service called, com.fomta.c002.service. LInitService, to perform the spyware activity.  
The spyware collects information based on the commands from the TA’s Command & Control (C&C) server. 
The below figure shows the code to collect contacts from the victim’s device phonebook. 
Figure 21: Code to collect Contacts from the victim device 
The spyware also constantly monitors victim’s activities such as: 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 11 of 16

Intercepting phone calls and recording phone call audio  
Receiving SMSs  
The malware sends SMS messages based on commands from C&C, shared by the TA. The code used to send SMS
messages is shown in the figure below. 
Figure 22: Code to send SMS message based on C&C command 
The malware also has the capability to make a phone call without user interaction as shown in the Figure 23. 
Figure 23: Code to make phone call based on C&C command
The malware encrypts the collected data and uploads it to the C&C server based on the commands from the TA. The code to
encrypt the data before the upload is shown in Figure 24. 
Figure 24: Code to Encrypt Upload Data
The spyware uses two different C&C server IPs.  
1. C&C IP1: hxxp://125[.]227.0.22/: Encrypted and stored in a native library, libfirebase.so 
2. C&C IP2: hxxp://45[.]115.127.106/: Encrypted and stored in a GitHub account 
GitHub URL: hxxps://raw[.]githubusercontent.com/maxw201653/dest/main/pwdText 
C&C IP1 is encrypted using AES-128-bit encryption and Base64. The code used to decrypt the IP is shown in the below
figure. 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 12 of 16

Figure 25: Code to decrypt C&C server IP1
Figure 26 shows the code used to retrieve the C&C IP2 from the GitHub repository. 
Figure 26: Code to Retrieve encrypted C&C IP2 URL from GitHub
The code used by the spyware to decrypt the C&C IP2 is shown in the below figure. 
Figure 27: Code to decrypt C&C IP2
Resilience 
The malware has registered listeners for the victim’s device events and initiates the spyware
activity accordingly. These events include BOOT_COMPLETED, NEW_OUTGOING_CALL, etc. The below figure
shows one such listener and events registered. 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 13 of 16

Figure 28: Declaration of the Listener and Events registered for resilience
The fake application invokes the LInitService, as shown in the figure below. This is the service that initiates the spyware
activity. 
Figure 29: Code to initiate spyware activity based on device events 
Commands 
The TA sends the commands as integer values and the spyware translates it to the commands as shown in Figure 30. 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 14 of 16

Figure 30: Code to translate commands from C&C
Conclusion 
As per our observations, during the Covid-19 pandemic, there has been a substantial increase in malware targeting financial
services. Some notable examples are Aberebot, S.O.V.A., etc. This spyware is one of the latest amongst them.  
The TA uses sophisticated techniques to evade detection and infect multiple users. Identifying phishing pages and fake
applications is a best practice for not being a victim of this type of malware.   
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We
recommend that our readers follow the best practices given below:   
1. If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
2. Use the shared IoCs to monitor and block the malware infection. 
3. Keep your anti-virus software updated to detect and remove malicious software. 
4. Keep your Operating System and applications updated to the latest versions. 
5. Use strong passwords and enable two-factor authentication.
6. Download and install software only from registered app stores.
MITRE ATT&CK® Techniques 
Tactic   Technique ID   Technique Name 
Defense Evasion 
T1406
T1444 
T1581 
T1575 
Obfuscated Files or Information 
Masquerade as Legitimate Application 
Geofencing 
Native Code 
Credential Access  T1412  Capture SMS Messages 
 Discovery 
T1421 
T1430 
T1424 
T1418  
System Network Connections Discovery  
Location Tracking 
Process Discovery 
Application Discovery 
 Collection 
T1507 
T1412 
T1432 
T1429 
Network Information Discovery  
Capture SMS Messages  
Access Contact List 
Capture Audio 
Command and Control 
T1571
T1573 
Non-Standard Port 
Encrypted Channel 
Impact  T1447  Delete Device Data 
Indicators of Compromise (IoCs):   
Indicators 
Indicator
type 
Description 
ed7ef6718a6b6e7abf3bd96c72929ee9f1e9a4bfcd97429154141c7702093f36  SHA256 
Hash of the
APK sample 
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 15 of 16

b4d3d4519427eec34c709a6d6ca43b9001fcc5802a71c8d3afa45cd4f3505626  SHA256 
Hash of the
second APK
sample 
14264416ad72a75ac2e2a399a9b19b7533bcf33d8427bea0241a317f513acb50  SHA256 
Hash of the
third APK
sample 
8dbc872f284fbe5eee635aab96a08bc6441ac10f3a5b8eb3aab712b52ca73534  SHA256 
Hash of the
fourth APK
sample 
hxxp://114[.]47.93.211  URL 
Phishing page
used to
deliver first
APK 
hxxp://61.227.36[.]150  URL 
Phishing page
used
to deliver
second and
third APK 
hxxp://125[.]227.0.22/  URL  C&C URL1 
hxxp://45[.]115.127.106/  URL  C&C URL2 
About Us 
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure
in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by
Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best
Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  
Source: https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
Page 16 of 16