Resecurity | "In The Box" - Mobile Malware Webinjects Marketplace Published: 2022-11-25 · Archived: 2026-04-05 14:10:58 UTC With the rapid growth of fraudulent activity in a post-pandemic world, the bad actors continue to upgrade their tooling to attack customers of major financial institutions (FIs), e-commerce platforms and online marketplaces. According to collected statistics in Q4 2022 during DFIR engagements conducted on Fortune 500 companies by Resecurity®, cybercriminals are especially successful when attacking mobile apps and leveraging gained access for further unauthorized access and financial theft. Unless FIs implement various technologies to combat fraud, this vector remains relatively unprotected which provides threat actors enough flexibility to bypass fraud detection systems by ultimately controlling the victim's mobile device. Once the mobile device of the victim has been compromised, the bad actors can intercept OTP codes, incoming SMS messages, and phone calls to extract sensitive information including call history and contact lists. Besides other concerning types of threats such as "SIM Swapping" also widely used by fraudsters, mobile malware remains the key in a cybercriminals arsenal to conduct banking theft from consumers worldwide. This research arranged by Resecurity® Hunter team is focused on the new marketplace called “InTheBox”, recently emerged in the Dark Web and designed specifically for mobile malware operators. The first mentions of “InTheBox” were identified on reputable underground communities around January 2020 - since that time the key actor was offering webinjects development services for other cybercriminals privately, but after gaining enough credibility the actor scaled it to a fully productized automated marketplace. The automation allows other bad actors to create orders to receive the most up to date webinject for further implementation into mobile malware. For those using proprietary (or so called “private”), mobile malware is not widely available for sale or rent, because of this “InTheBox” is offering customized development solutions. As of today, the most widely malware families supporting webinjects are - Alien, Cerberus, Ermac, Hydra, Octopus (aka “Octo”), Poison, and MetaDroid. The marketplace is available in TOR network: https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 1 of 48 As an OPSEC measure, the administrator of the marketplace also requires vetting of new customers: After the successful account activation, the marketplace will offer listing of available webinjects for sale: It is worth mentioning how almost all of them may be used for credential interception from any service the victim may attempt to access while using their mobile device besides online-banking. The bad actor may then use the data stolen from said devices for any malicious purposes. To facilitate successful credentials interception, the bad actors use a so called "Webinjects" - customized modules or packages used in malware that typically inject HTML or JavaScript code into content before it's rendered on a web browser. As a result, webinjects can alter what the user sees on his/her browser, as opposed to what's in fact being sent by the server. Typically, malware developers design code to intercept victims credentials using such approach which in practice looks completely invisible visually, as the webinject will interpret an identical design of legitimate pages from popular services. Technically, the success rate of banking theft depends on the quality of the webinject and stability of mobile malware. During past years, the market of mobile banking malware became extremely mature, and the majority of Dark Web actors stopped selling it, they switched to potentially renting, or to privately us it. Examples of webinjects: https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 2 of 48 There are multiple underground vendors developing webinjects - tracking the latest design and updates of legitimate mobile apps makes their attacks extremely efficient. The price on webinjects is typically lower than mobile malware itself and varies between 50$ and 200$ per inject depending how popular the FI is. Typically, it also includes basic support and possible customization in case the mobile app changes. The price range on mobile malware varies and with the recent shift to rent and private operations, the inject may exceed 5,000$ per month or leveraged commission-based model with payouts from successful thefts shared between malware operator and developers. Just recently “InTheBox” implemented a new tariff called “unlim” allowing cybercriminals to generate unlimited number of webinjects during the subscription period. Such model allows to minimize manual and human interactions with the marketplace operators, simplifying malware customization processes. Based on the chosen plan other malware operators can create orders on the injects or customized development. Their feedback and order status will be available via the portal: The bad actor known as "inthebox" launched a new webinjects marketplace on the TOR network. The marketplace provides different templates of webinjects for various mobile malware families which are used independently or in combination to successful execute data theft: Template “Authorization data” Template “Ask only PIN” Template “With Credit Card data” Template “With Credit Card data + ATM PIN” Template “Ask Full Data” https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 3 of 48 Today, “InTheBox” provides access to over 400 professionally developed webinjects categorized by geography and target: https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 4 of 48 The majority of high-demand injects is related to payment services including digital banking and cryptocurrency exchangers. During November 2022 the actor arranged a significant update of close to 144 injects improving their visual design. https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 5 of 48 Payment Systems List Luno: co.bitx.android.wallet Bitfinex: com.bitfinex.mobileapp BitPay - Buy Crypto: com.bitpay.wallet Buy Bitcoin & Crypto Exchange: com.changelly.app Coinbase: Buy Bitcoin & Ether: com.coinbase.android Luno: co.bitx.android.wallet Bitfinex: com.bitfinex.mobileapp BitPay - Buy Crypto: com.bitpay.wallet Buy Bitcoin & Crypto Exchange: com.changelly.app Coinbase: Buy Bitcoin & Ether: com.coinbase.android Gemini: Buy Bitcoin & Crypto: com.gemini.android.app HitBTC – Cryptocurrency Exchange & Trading BTC App: com.hittechsexpertlimited.hitbtc HuobiWallet: com.huobionchainwallet.gp Kraken Pro: Advanced Bitcoin & Crypto Trading: com.kraken.trade PayPal - Send, Shop, Manage: com.paypal.android.p2pmobile https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 6 of 48 Wise, ex TransferWise: com.transferwise.android Bitstamp – Crypto on the go: net.bitstamp.app Electrum Bitcoin Wallet: org.electrum.electrum BtcTurk | PRO Trade Bitcoin & Cryptocurrency: com.btcturk.pro Electroneum: com.electroneum.mobile Enjin: Bitcoin, Ethereum, NFT Crypto Wallet: com.enjin.mobile.wallet KuCoin: BTC, Crypto exchange: com.kubi.kucoin Lumi Crypto Bitcoin Wallet: com.lumiwallet.android BtcTurk | Bitcoin (BTC) Al Sat: com.mobillium.btcturk Mycelium Bitcoin Wallet: com.mycelium.wallet Okcoin - Buy Bitcoin, Ethereum, Shiba Inu, Crypto: com.okinc.okcoin.intl OKEx:Buy Bitcoin, NFTs & Meta: com.okinc.okex.gp Paribu | Bitcoin-Kripto Para Alım Satım: com.paribu.app Poloniex Crypto Exchange: com.plunien.poloniex Samourai Wallet (Early Access): com.samourai.wallet TabTrader Buy Bitcoin and Ethereum on exchanges: com.tabtrader.android https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 7 of 48 Contasimple - Invoices, estimates & delivery notes: com.v2msoft.contasimple Waves.Exchange: com.wavesplatform.wallet WazirX - Bitcoin, Crypto Trading Exchange India: com.wrx.wazirx BitGlobal (formerly Bithumb Global): global.bithumb.android Indodax: id.co.bitcoin Bitcoin Wallet by SpectroCoin: lt.spectrofinance.spectrocoin.android.wallet Zonda - crypto exchange: net.bitbay.bitcoin MetaMask - Buy, Send and Swap Crypto: io.metamask Crypto.com - Buy BTC, ETH: co.mona.android Binance: BTC NFTs Memes & Meta: com.binance.dev Trust: Crypto & Bitcoin Wallet: com.wallet.crypto.trustapp Blockchain.com Wallet: Buy BTC: piuk.blockchain.android Coinbase Wallet - Store Crypto: org.toshi Bitcoin Wallet: buy BTC, BCH & ETH: com.bitcoin.mwallet Cash App: com.squareup.cash e-Commerce List https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 8 of 48 AutoScout24 Schweiz – Finden Sie Ihr neues Auto: ch.autoscout24.autoscout24 Amazon Seller: com.amazon.sellermobile.android Tide: Business Bank Account: com.tideplatform.banking mobile.de - car market: de.mobile.android.app Amazon Shopping: com.amazon.mShop.android.shopping SHEIN-Fashion Shopping Online: com.zzkko noon shopping: com.noon.buyerapp Alibaba.com: com.alibaba.intl.android.apps.poseidon Lulu Shopping: com.lulu.commerce Social List Instagram: com.instagram.android WhatsApp Messenger: com.whatsapp Facebook: com.facebook.katana Tinder - Dating & Make Friends: com.tinder ZOOM Cloud Meetings: us.zoom.videomeetings Facebook Messenger: com.facebook.orca Digital Media List https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 9 of 48 Netflix: com.netflix.mediaclient Spotify: Music and Podcasts: com.spotify.music The marketplace has also region-specific categories with a strong focus on the U.S. and U.K. businesses, online-services and financial institutions: United States List Citi Mobile®: com.citi.citimobile E*TRADE: Invest. Trade. Save.: com.etrade.mobilepro.activity Invoice Maker: Easy & Simple: com.aadhk.woinvoice Airbnb: com.airbnb.android Amex: com.americanexpress.android.acctsvcs.us AOL - News, Mail & Video: com.aol.mobile.aolapp myAT&T: com.att.myWireless U by BB&T: com.bbt.myfi Citizens Bank Mobile Banking: com.citizensbank.androidapp Discover Mobile: com.discoverfinancial.mobile Bank of America Mobile Banking: com.infonow.bofa KeyBank - Online & Mobile Banking: com.key.android https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 10 of 48 LinkedIn: com.linkedin.android First Citizens Mobile Banking: com.mcom.firstcitizens M&T Mobile Banking: com.mtb.mbanking.sc.retail.prod Schwab Mobile: com.schwab.mobile TD Bank (US): com.tdbank UBS Mobile Banking: com.ubs.swidKXJ.android USAA Mobile: com.usaa.mobile.android.usaa Woodforest Mobile Banking: com.woodforest SECU: org.ncsecu.mobile Ally Mobile: Banking & Investing: com.ally.MobileBanking BMO Digital Banking: com.bmoharris.digital Booking.com: Hotels and more: com.booking Bank of the West Mobile: com.botw.mobilebanking Chase Mobile: com.chase.sig.android Fifth Third Mobile Banking: com.clairmail.fth https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 11 of 48 Compass Savings Bank: com.compasssavingsbank.mobile Capital One Mobile: com.konylabs.capitalone Morgan Stanley Wealth Mgmt: com.morganstanley.clientmobile.prod Navy Federal Credit Union: com.navyfederal.android PNC Mobile: com.pnc.ecommerce.mobile SunTrust Mobile App: com.suntrust.mobilebanking Wells Fargo Mobile: com.wf.wellsfargomobile Zelle: com.zellepay.zelle Robinhood: Stocks & Crypto: com.robinhood.android eToro: com.etoro.openbook I am Verizon: com.dynamicsignal.enterprise.iamvz One Talk Side View: com.verizon.sideview One Talk: com.verizon.onetalk Verizon Messages: com.verizon.messaging.vzmsgs Verizon ID: com.verizon.verizonidauth Inside Verizon: com.verizon.insideverizon https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 12 of 48 Verizon Smart Family: com.verizon.familybase.parent myMetro: com.nuance.nmc.sihome.metropcs Truist Mobile: com.truist.mobile Regions Bank: com.regions.mobbanking Huntington Mobile: com.huntington.m U.S. Bank Mobile: Bank and Invest: com.usbank.mobilebanking Santander Bank US: com.sovereign.santander First Horizon Events: com.aventri.firsthorizonbank300005742 FNB Direct: com.FNBPA.mobilebanking BancorpSouth Mobile: com.bancorpsouth.android Found — Banking & Taxes: app.indie.my MOVO ON-DEMAND MOBILE BANKING: com.movocash.movo MoneyLion: Bank & Finance App: com.moneylion Albert: Banking on you: com.meetalbert Dave - Banking & Cash Advance: com.dave https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 13 of 48 Douugh: com.douugh.douughapp Current: The Future of Banking: com.current.app United Kingdom List Lloyds Bank Mobile Banking: com.grppl.android.shell.CMBlloydsTSB73 Halifax Mobile Banking: com.grppl.android.shell.halifax Bank of Scotland Mobile Banking: com.grppl.android.shell.BOS Nationwide Banking App: co.uk.Nationwide.Mobile The Co-operative Bank: com.cooperativebank.bank permanent tsb: com.nearform.ptsb HSBC UK Mobile Banking: uk.co.hsbc.hsbcukmobilebanking Santander Mobile Banking: uk.co.santander.santanderUK TSB Mobile Banking: uk.co.tsb.newmobilebank Barclays US Credit Cards: com.barclaycardus NatWest Mobile Banking: com.rbs.mobile.android.natwest Royal Bank of Scotland: com.rbs.mobile.android.rbs TSB Bank Mobile Banking: tsb.mobilebanking https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 14 of 48 MBNA Card Services App: uk.co.mbna.cardservices.android Metro Bank: uk.co.metrobankonline.mobile.android.production Tesco Mobile: uk.co.tescomobile.android Capital One UK: com.ie.capitalone.uk Revolut: com.revolut.revolut Deliveroo: Food Delivery: com.deliveroo.orderapp Monzo - Mobile Banking: co.uk.getmondo Revolut Business: com.revolut.business Cashplus Bank - business & per: co.uk.mycashplus.maapp ANNA Business Account & Tax: com.anna.money.app Chase UK: com.chase.intl Coutts: com.coutts.model.prod.tadpole C. Hoare & Co.: com.mobile.CHoareCo Nexo: купи BTC, ETH, SOL, AVAX: com.nexowallet Coutts Mobile: com.rbs.mobile.android.coutts https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 15 of 48 Soldo: com.soldo.business.next Pleo: io.pleo.android Amex United Kingdom: com.americanexpress.android.acctsvcs.uk Proton Mail: Encrypted Email: ch.protonmail.android BT Email: com.bt.mail.btprod SumUp: com.kaching.merchant Lloyds Bank Business: com.lloydsbank.businessmobile Business Banking: uk.co.santander.businessUK.bb Besides the U.S. and the U.K. as 2 major geographies to target consumers, “InTheBox” provides webinjects for online-services and financial institutions from over 28 countries including Andorra, Argentina, Austria, Australia, Belgium, Brazil, Canada, Chile, Colombia, Germany, Denmark, Spain, France, Georgia, Greece, Hungary, Italy, Japan, Mexico, Malaysia, Nigeria, Peru, Poland, Portugal, Qatar, Romania, Turkey, United Arab Emirates and Saudi Arabia. The full list of other injects for sale porovided below: Andorra List Andbank: air.com.inversis.AndbankSmartphone MoraBanc: com.morabanc.mobileapp Crèdit Andorrà: com.creditandorra BSA Mòbil: com.everis.bsa_1_3 UAE List https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 16 of 48 Burgan Bank: com.a2a.android.burgan SNB AlAhli Mobile: com.alahli.mobile.android alrajhi bank: com.alrajhiretailapp RiyadBank Mobile: com.riyadbank.strategic CBD - Instant digital banking: com.cbd.mobile ADCB: com.adcb.bank Ajman Bank: com.mbanking.ajmanbank Al Hilal Mobile Banking App: com.infosys.alh MBank UAE: com.mbankuae.amcb Al Masraf: ae.almasraf.mobileapp eBOS Mobile: com.ebos.bos CBQ Mobile: com.cbq.CBMobile DIB MOBILE: com.dib.app FAB Mobile: com.fab.personalbanking Finance House App: com.fh.payday NBQBANK: com.NBQBank https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 17 of 48 RAKBANK Digital Banking: com.rak SC Mobile Banking (UAE): com.scb.ae.bmw SIB Digital: com.sib.retail United Arab Bank Mobile: com.uab.personal NBF Direct App: com.vipera.nbf Mashreq UAE: com.vipera.ts.starter.MashreqAE Emirates NBD: enbd.mobilebanking EI Bank: com.s4m Al Hilal Digital: ae.ahb.digital C3Pay: com.myc3card.app ADIB Mobile Banking App: com.adib.mobile Mashreq Neo - Bank easy: com.mashreq.NeoApp ADCB Hayyak: Start your banking relationship now!: com.adcb.cbgdigi Liv. - Digital Lifestyle Bank: com.liv.android ENBD X: com.emiratesnbd.android YAP – Your Digital Banking App: com.yap.banking https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 18 of 48 AAIB Mobile: com.aaib Arabi-Mobile: com.arabbank.arabimobilev2 Dubai First: com.bankfab.pbg.ae.dubaifirst HSBC UAE: ae.hsbc.hsbcuae eWalletAE: com.etisalat.ewallet Alfa by Bank Alfalah: com.base.bankalfalah Citibank UAE: com.citibank.mobile.citiuaePAT KFC UAE (United Arab Emirates): com.kfc.me Snoonu - Fastest Delivery: com.oryx.snoonu Namshi - Shop Fashion & Beauty: com.namshi.android MAF Carrefour Online Shopping: com.aswat.carrefouruae :OpenSooq - السوق المفتوح com.opensooq.OpenSooq Shail: de.hafas.android.dimp :فورديل سوق االنرتنت - Fordeal com.fordeal.android PizzaHut UAE: com.pizzahutapp Simplylife from ADCB: com.adcb.simplylife https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 19 of 48 Argentina List Santander Argentina: ar.com.santander.rio.mbanking Patagonia Móvil: ar.com.bcopatagonia.android Credicoop Móvil: coop.bancocredicoop.bancamobile Banca Móvil Ciudad: ar.com.redlink.custom Macro: ar.macro Bip Móvil: ar.bapro Austria List Bank Austria MobileBanking: com.bankaustria.android.olb easybank App: com.easybank.easybank George Österreich: at.erstebank.george bank99: at.ing.diba.client.onlinebanking Mein ELBA-App: at.rsg.pfp BAWAG PSK klar – Mobile Banking App: com.bawagpsk.bawagpsk HYPO Mein ELBA-App: com.isis_papyrus.hypo_pay_eyewdg Volksbank hausbanking: at.volksbank.volksbankmobile meine99 | Online Banking: at.bank99.meine.meine https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 20 of 48 S-pushTAN für Smartphone und Tablet: com.starfinanz.mobile.android.pushtan Digital Banking App: at.aerztebank.aerztebankmobile Anadi Internetbanking: at.anadi.mobilebanking Australia List My AMP: au.com.amp.myportfolio.android Bankwest: au.com.bankwest.mobile CommBiz: au.com.commbank.commbiz.prod Great Southern Bank Australia: au.com.cua.mb HSBC Australia: au.com.hsbc.hsbcaustralia Macquarie Mobile Banking: au.com.macquarie.banking ME Bank: au.com.mebank.banking NAB Mobile Banking: au.com.nab.mobile NPBS Mobile Banking: au.com.newcastlepermanent myRAMS: au.com.rams.RAMS Suncorp Secured: au.com.suncorp.rsa.suncorpsecured UBank: au.com.ubank.internetbanking https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 21 of 48 Virgin Money Credit Card: com.virginmoney.cards Bank of Melbourne Business App: org.banking.bom.businessconnect BankSA Business App: org.banking.bsa.businessconnect St.George Business App: org.banking.stg.businessconnect BankSA Mobile Banking: org.banksa.bank Bank of Melbourne Mobile Banking: org.bom.bank St.George Mobile Banking: org.stgeorge.bank Westpac: org.westpac.bank Westpac Corporate Mobile: org.westpac.col Zip - Shop Now, Pay Later: co.zip BOQ Mobile: com.bankofqueensland.boq Bendigo Bank: com.bendigobank.mobile CommBank: com.commbank.netbank Bank Australia app: com.fusion.banking Beyond Bank Australia: com.fusion.beyondbank Beyond Bank Australia: com.greater.Greater https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 22 of 48 HSBCnet Mobile: com.hsbc.hsbcnet Belgium List ING Banking: com.ing.banking Argenta Bankieren: be.argenta.bankieren Mobile Banking Service: be.axa.mobilebanking Belfius Mobile: be.belfius.directmobile.android Beobank Mobile: com.beobank_prod.bad Easy Banking App: com.bnpp.easybanking KBC Mobile: com.kbc.mobile.android.phone.kbc Canada List Banco next: Conta e Cartão: br.com.bradesco.next Inter: Pix, Cartão e Conta: br.com.intermedium banco digital modalmais - conta e corretora online: br.com.modalmais Original - Pix, Digital, Cashback e Empréstimos: br.com.original.bank PagBank: Banco, Conta digital, Cartão, Pix, CDB: br.com.uol.ps.myaccount Banco Bradesco: com.bradesco https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 23 of 48 Banco Itaú: com.itau Digital Media List National Bank of Canada: ca.bnc.android HSBC Canada: ca.hsbc.hsbccanada Manulife Mobile: ca.manulife.MobileGBRS PC Financial Mobile: ca.pcfinancial.bank Tangerine Mobile Banking: ca.tangerine.clients.banking.app CIBC Mobile Banking®: com.cibc.android.mobi Services mobiles Desjardins: com.desjardins.mobile RBC Mobile: com.rbc.mobile.android TD Canada: com.td Affinity Mobile: ca.affinitycu.mobile motusbank mobile banking: ca.motusbank.mapp Servus Mobile Banking: ca.servus.mbanking ATB Personal - Mobile Banking: com.atb.ATBMobile ATB Business - Mobile Banking: com.atb.businessmobile https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 24 of 48 Coast Capital Savings: com.coastcapitalsavings.dcu EQ Bank Mobile Banking: com.eqbank.eqbank Meridian Mobile Banking: com.meridian.android Simplii Financial: com.pcfinancial.mobile Vancity: com.vancity.mobileapp Scotiabank Mobile Banking: com.scotiabank.banking BMO Mobile Banking: com.bmo.mobile Capital One Canada: ca.capitalone.enterprisemobilebanking Indeed Job Search: com.indeed.android.jobsearch com.eqbank.eqbank (NEW) com.shaketh (NEW) ca.hsbc.hsbccanada (NEW) ca.manulife.MobileGBRS (NEW) com.meridian.android (NEW) affinitycu.mobile (NEW) com.atb.ATBMobile (NEW) com.atb.businessmobile (NEW) Chile List Banco Falabella | CMR: cl.android https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 25 of 48 Mercado Libre: Compras Navidad: com.mercadolibre Mercado Pago: cuenta digital: com.mercadopago.wallet Colombia List Banco de Bogotá: com.bancodebogota.bancamovil Banco de Occidente Móvil: com.grupoavaloc1.bancamovil Davivienda Móvil: com.todo1.davivienda.mobileapp Bancolombia Personas: com.todo1.mobile Scotiabank Colpatria: eu.netinfo.colpatria.system BBVA Colombia: co.com.bbva.mb Banco Agrario App: co.com.bancoagrario.icbanking Banco Falabella Colombia: co.com.bancofalabella.mobile.omc Banca Móvil BAC Credomatic: net.bac.sbe.android Germany List La Mia Banca: com.db.pbc.miabanca Sparkasse Ihre mobile Filiale: com.starfinanz.smob.android.sfinanzstatus Commerzbank Banking - Die App an Ihrer Seite: de.commerzbanking.mobil VR Banking Classic: de.fiducia.smartphone.android.banking.vr https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 26 of 48 ING Banking to go: de.ingdiba.bankingapp Santander Banking: de.santander.presentation traktorpool: de.traktorpool comdirect: de.comdirect.app N26 — The Mobile Bank: de.number26.android Postbank Finanzassistent: de.postbank.finanzassistent SpardaSecureApp: de.sdvrz.ihb.mobile.secureapp.sparda.produktion HVB Mobile Banking: eu.unicreditgroup.hvbapptan SpardaApp: de.sdvrz.ihb.mobile.app Sparda Berlin: de.spardab.banking.privat Postbank BestSign: de.postbank.bestsign Consorsbank: de.consorsbank Volksbank · Banca Popolare: it.volksbank.android Denmark List Mobilbank DK – Danske Bank: com.danskebank.mobilebank3.dk Nordea Mobile - Danmark: dk.nordea.mobilebank Spain List https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 27 of 48 BBVA España | Banca Online: com.bbva.bbvacontigo Caja de Ingenieros Banca MÓVIL: com.cajaingenieros.android.bancamovil Cajasur: com.cajasur.android Banco Mediolanum España: com.mediolanum Tomamos impulso - TARGOBANK I AGRUPACIÓ I ATLANTIS: com.targoes_prod.bad ABANCA - Banca Móvil: es.caixagalicia.activamovil Caixa Ontinyent: es.caixaontinyent.caixaontinyentapp Ibercaja: es.ibercaja.ibercajaapp Pibank: es.pibank.customers Banco Caja Social Móvil: com.bancocajasocial.geolocation imagin – Más que una app para gestionar tu dinero: com.imaginbank.app Bankinter Móvil: com.bankinter.launcher BBVA Empresas | ES & PT: com.bbva.netcash Grupo Cajamar: com.grupocajamar.wefferent Go ABANCA: com.indra.itecban.mobile.novobanco Triodos Bank. Banca Móvil: com.indra.itecban.triodosbank.mobile.banking https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 28 of 48 Kutxabank: com.kutxabank.android Colonya Caixa Pollença: com.rsi.Colonya ruralvia: com.rsi Banca Móvil Laboral Kutxa: com.tecnocom.cajalaboral Santander: es.bancosantander.apps Santander Empresas: es.bancosantander.empresas UniPay Unicaja: es.cecabank.ealia2103appstore EVO Banco móvil: es.evobanco.bancamovil bank – banca móvil: es.openbank.mobile Criptocalculadora: es.santander.Criptocalculadora Unicaja Banco: es.unicajabanco.app AV Villas App: com.grupoavalav1.bancamovil Orange Bank - Banco Móvil: es.orangebank.app Banco Sabadell App. Your mobile bank: net.inverline.bancosabadell.officelocator.android CaixaBankNow: es.lacaixa.mobile.android.newwapicon ING España. Banca Móvil: www.ingdirect.nativeframe https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 29 of 48 Tarjeta prepago de correos: com.correosprepago Carrefour PASS Móvil: com.carrefour.carrefourPass El Corte Inglés: com.elcorteingles.app Tarjeta El Corte Inglés: com.feci.apps France List Boursorama Banque: com.boursorama.android.clients Banxo: com.caisseepargne.android.mobilebanking CIC: com.cic_prod.bad Crédit Mutuel: com.cm_prod.bad La Banque Postale: com.fullsix.android.labanquepostale.accountaccess LAppli Société Générale: mobi.societegenerale.mobile.lappli AXA Banque France: com.axabanque.fr Crédit Coopératif: com.credit_coop.android.mobilebanking Mon Epargne Salariale: com.mootwin.natixis Crédit du Nord pour Mobile: com.ocito.cdn.activity.creditdunord Hello bank! par BNP Paribas: fr.bnpp.digitalbanking https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 30 of 48 Ma Banque Entreprise: fr.bnpparibasentreprise.android BRED: fr.bred.fr Ma Banque: fr.creditagricole.androidapp HSBC France: fr.hsbc.hsbcfrance Mes Comptes - LCL: fr.lcl.android.customerarea Pro & Entreprises LCL: fr.lcl.android.entreprise Mes Comptes BNP Paribas: net.bnpparibas.mescomptes Banque Laydernier - Mobile: com.ocito.cdn.activity.banquelaydernier Caf - Mon Compte: fr.cnaf.mobile.moncompte CMB ma banque : solde, virement & épargne: com.arkea.android.application.cmb Banque Populaire: fr.banquepopulaire.cyberplus BforBank : la banque en ligne: com.bforbank.androidapp Fortuneo, banque & bourse: com.fortuneo.android Monabanq: com.mona_prod.bad Shine - Compte pro en ligne: com.shine.app https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 31 of 48 Qonto • Business Finance App: eu.qonto.qonto Nickel - Compte pour tous: com.fpe.comptenickel Georgia List Cartu Bank Mobile: com.mobius.mobilebank.cartu ProCredit Bank myDirect: com.pcb.mydirect BOG mBank - Mobile Banking: ge.bog.mobilebank Liberty: ge.lb.mobilebank BasisBank: ge.mobility.basisbank eMoney: ge.mobility.emoney Terabank mBank - Mobile Banking: mobility.ge.terabank Greece List Eurobank Mobile App: com.EurobankEFG myAlpha Mobile: com.mobileloft.alpha.droid AstroBank Mobile Banking: gr.winbank.mobile.cyprus Attica Mobile: eu.afse.omnia.attica NBG Mobile Banking: mbanking.NBG Winbank Mobile: gr.winbank.mobilenext https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 32 of 48 Hungary List OTP SmartBank: com.aff.otpdirekt myRaiffeisen mobile app: com.rbinternational.retail.mobileapp UniCredit mBanking: hr.asseco.android.jimba.mUCI.hu Budapest Bank Mobil App: hu.bb.mobilapp CIB Business Online: hu.cardinal.cib.mobilapp Erste Business MobilBank: hu.cardinal.erste.mobilapp K&H mobilbank: hu.khb MKB Mobilalkalmazás: hu.mkb.mobilapp OTP Bank HU: hu.otpbank.mobile George Magyarország: pegasus.project.ebh.mobile.android.bundle.mobilebank VÚB Mobile Banking: sk.vub.mobile com.aff.otpdirekt com.rbinternational.retail.mobileapp hr.asseco.android.intesa.isbd.cib hr.asseco.android.jimba.mUCI.hu hu.bb.mobilapp hu.cardinal.cib.mobilapp hu.cardinal.erste.mobilapp https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 33 of 48 hu.khb hu.mkb.mobilapp hu.otpbank.mobile pegasus.project.ebh.mobile.android.bundle.mobilebank India List Cent Mobile: com.infrasofttech.CentralBank Maha Mobile: com.infrasofttech.MahaBank Dhanlaxmi Bank Mobile Banking: com.dhanlaxmi.dhansmart.mtc Kotak - 811 & Mobile Banking: com.msf.kbank.mobile Yono Business: com.sbi.SBAnywhereCorporate HDFC Bank MobileBanking App: com.snapwork.hdfc PNB ONE: com.Version1 iMobile Pay by ICICI Bank: com.csam.icici.bank.imobile Paytm: Secure UPI Payments: net.one97.paytm FinShell Pay: com.finshell.fin IPPB Mobile Banking: com.iexceed.appzillon.ippbMB SBI Card: com.ge.capital.konysbiapp Bajaj Finserv Wallet: com.mobikwik_new.bajajfinserv https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 34 of 48 RBL MyCard: com.rbl.rblmycard Federal Bank - FedMobile: com.fedmobile IDFC FIRST Bank: MobileBanking: com.idfcfirstbank.optimus Italy List BancoPosta: posteitaliane.posteapp.appbpol YouApp: com.lynxspa.bancopopolare BNL: it.bnl.apps.banking Carige Mobile: it.carige UBI Banca: it.nogood.container SCRIGNOapp: it.popso.SCRIGNOapp Postepay: posteitaliane.posteapp.apppostepay Intesa Sanpaolo Mobile: com.latuabancaperandroid Sella: com.sella.BancaSella myCartaBCC: it.bcc.iccrea.mycartabcc Banca MPS: it.copergmps.rt.pf.android.sp.bmps Bancaperta: it.creval.bancaperta https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 35 of 48 Mobile Banking UniCredit: com.unicredit CheBanca!: com.vipera.chebanca Nexi Pay: it.icbpi.mobile Hype: it.hype.app Mediolanum: com.mediolanum.android.fullbanca Mexico List SuperMóvil: mx.bancosantander.supermovil Bi en Línea: gt.com.bi.bienlinea Banorte Móvil: org.microemu.android.model.common.VTUserApplicationBNRTMB Banca Mifel: com.mifel.mobile.activity Bajionet Móvil Empresarial: mx.com.bb.b2 Banco Sabadell Méx. Tu Ahorro: mx.bancsabadell.part BBVA México: com.bancomer.mbanking ScotiaMóvil MX: com.scotiabankmx.scotiamovil HSBC México: mx.hsbc.hsbcmexico BBVA Empresas México: com.bbva.GEMA https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 36 of 48 Bajionet Móvil: org.microemu.android.model.common.VTUserApplicationBNBJMB Malaysia List SC Mobile Malaysia: air.app.scb.breeze.android.main.my.prod AmOnline: com.ambank.ambankonline CIMB Clicks Malaysia: com.cimbmalaysia Citibank MY: com.citibank.CitibankMY PB engage MY: com.engage.pbb.pbengage2my.release HSBC Malaysia: my.com.hsbc.hsbcmalaysia Maybank2u MY: my.com.maybank2u.m2umobile allianceonline Mobile: com.alliance.AOPMobileApp alrajhi@24seven Malaysia: com.alrajhibank.mobile BSNeBiz Mobile- Corporate User: com.bsnebiz.cdb AGRONet Mobile: com.cedarplus.agro GO by Bank Islam: com.iexceed.CBS MBSB Bank Mobile Banking: com.MBSB.Bank.Mobile.Banking OCBC Malaysia Mobile Banking: com.ocbc.mobilemy https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 37 of 48 RHB Mobile Banking: com.rhbgroup.rhbmobilebanking HLB Connect Mobile Banking App: my.com.hongleongconnect.mobileconnect Nigeria List FirstMobile: com.firstbank.firstmobile Access Bank plc: com.accessbank.accessbankapp Ecobank Mobile App: com.app.ecobank UBA Mobile Banking: com.uba.vericash Union Bank Mobile Banking: com.unionbank.ecommerce.mobile.android GTBank: com.vanso.gtbankapp Zenith Bank Mobile App: com.zenithBank.eazymoney Nederlands List ING Bankieren: com.ing.mobile ABN AMRO: com.abnamro.nl.mobile.payments ICS Creditcard: com.ics.nl.icscards New Zealand List ASB Mobile Banking: nz.co.asb.asbmobile Kiwibank Mobile Banking: nz.co.kiwibank.mobile https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 38 of 48 Rabobank NZ: com.rabobank.android.prod.nz SBS Bank Mobile: nz.co.sbsbank.mobile Westpac One (NZ) Mobile Banking: nz.co.westpac Peru List BBVA Perú: com.bbva.nxt_peru Banca Móvil BCP: com.bcp.bank.bcp Banco Santander Perú S.A.: com.zoluxiones.officebanking Interbank APP: pe.com.interbank.mobilebanking Scotiabank Perú: pe.com.scotiabank.blpm.android.client APP Banco Pichincha Perú: pe.pichincha.bm Poland List BNP Paribas GOmobile: com.finanteq.finance.bgz CA24 Mobile: com.finanteq.finance.ca Getin Mobile: com.getingroup.mobilebanking plusbank24: eu.eleader.mobilebanking.invest Fakturownia.pl: pl.fakturownia IFIRMA - Darmowy Program do Faktur: pl.ifirma.ifirmafaktury https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 39 of 48 Moje ING mobile: pl.ing.mojeing mBank PL: pl.mbank BPS Mobilnie: pl.bps.bankowoscmobilna CitiManager – Commercial Cards: com.citi.mobile.ccc IKO: pl.pkobp.iko PeoPay: softax.pekao.powerpay Bank Millennium: wit.android.bcpBankingApp.millenniumPL Santander mobile: pl.bzwbk.bzwbk24 Alior Mobile: pl.aliorbank.aib Nest Bank: pl.nestbank.nestbank Portugal List Caixadirecta: cgd.pt.caixadirectaparticulares Banco BIC, SA: com.exictos.mbanka.bic MY ATLANTICO: eu.atlantico.bancoatlanticoapp Banca Móvil: com.baninter BBVA Portugal: com.bbva.mobile.pt https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 40 of 48 Santander Particulares: pt.santandertotta.mobileparticulares ActivoBank: wit.android.bcpBankingApp.activoBank Banco CTT: pt.bctt.appbctt CA Mobile: ca.mobile.explorer NB smart app: pt.novobanco.nbapp Caixadirecta Empresas: pt.cgd.caixadirectaempresas Millenniumbcp: wit.android.bcpBankingApp.millennium BPI APP: pt.bancobpi.mobile.fiabilizacao Best Bank: pt.bancobest.android.mobilebanking Santander Empresas Portugal: pt.santandertotta.mobileempresas ABANCA - Portugal: com.abanca.bm.pt Wizink. Um banco. Infinitas possibilidades: app.wizink.pt Bankinter Portugal: com.bankinter.portugal.bmb Banco BiG Portugal: pt.bigonline.BiGMobile MB WAY: pt.sibs.android.mbway Qatar List https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 41 of 48 QIB Mobile: com.pozitron.qib Doha Bank Mobile Banking: com.db.mobilebanking QNB Mobile: com.vipera.ts.starter.QNB QIIB Mobile: com.QIIB Ahlibank Personal Mobile App: com.ahlibank.personal HSBC Qatar: qa.hsbc.hsbcqatar KFC Qatar - Order food online: com.kfc.qatar Karwa Taxi - Official taxi: com.karwatechnologies.karwataxi Mashreq Qatar: com.vipera.ts.starter.MashreqQA Romania List Libra Mobile Banking: libra.mobile.banking First Bank Romania: ro.firstbank.direct George Romania: ro.bcr.georgego Raiffeisen SmartToken: ro.raiffeisen.eToken Raiffeisen Smart Mobile PI: ro.raiffeisen.smartmobile NeoBT: com.ebankit.com.bt https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 42 of 48 ING HomeBank: ro.ing.mobile.banking.android.activity ING Business: ro.ing.business MyBRD Mobile: brd.bankingapp.android Banca Transilvania: ro.btrl.mobile Mobile Banking (UniCredit Bank Romania): hr.asseco.android.jimba.mUCI.ro CEC Bank Mobile Banking: hr.asseco.android.jimba.cecro m-conect (Credit Agricole Bank Romania S.A.): ro.ca.dem Garanti BBVA Romania: com.garantibank.cepsubesiro Alpha Online Banking: com.ofss.fcdb.mobile.android.alpharom.alphaandroid Turkey List Fibabanka: com.fibabanka.Fibabanka.mobile Fibabanka Kurumsal Mobil: com.fibabanka.mobile Paycell – Dijital Cüzdan, Ödeme ve Kart: com.turkcell.paycell QNB Finansbank: com.finansbank.mobile.cepsube ING Mobil: com.ingbanktr.ingmobil ininal: com.ininal.wallet https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 43 of 48 Akbank: com.akbank.android.apps.akbank_direkt Kuveyt Türk Mobile: com.kuveytturk.mobil Odeabank: com.magiclick.odeabank Papara: com.mobillium.papara PTTBank: com.pttfinans Türkiye Finans Mobil Şube: com.tfkb Halkbank Mobil: com.tmobtech.halkbank Katılım Mobil: com.ziraatkatilim.mobilebanking Enpara.com Şirketim Cep Şubesi: finansbank.enpara.sirketim e-Devlet Kapısı: tr.gov.turkiye.edevlet.kapisi Trendyol - Online Alışveriş: trendyol.com N Kolay: com.aktifbank.nkolay Albaraka Mobil: com.albarakaapp Anadolubank Mobil: com.anadolubank.android fastPay: com.intertech.mobilemoneytransfer.activity Maximum İşyerim: com.isbank.isyerim https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 44 of 48 İşCep - Mobil Bankacılık: com.pozitron.iscep CEPTETEB: com.teb CEPTETEB İŞTE: com.teb.kurumsal Enpara.com Cep Şubesi: finansbank.enpara PeP: paladyum.peppara Alternatif Bank Mobil: tr.com.abank.dijital HSBC Turkiye: tr.com.hsbc.hsbcturkey.uk Param: tr.com.param.android MobilDeniz: com.denizbank.mobildeniz Garanti BBVA Mobile: com.garanti.cepsubesi VakıfBank Mobil Bankacılık: com.vakifbank.mobile Yapı Kredi Mobile: com.ykb.android Ziraat Mobil: com.ziraat.ziraatmobil Israel List com.fibi.nativeapp (NEW) com.ideomobile.discount (NEW) com.ideomobile.hapoalim (NEW) com.leumi.leumiwallet (NEW) https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 45 of 48 com.MizrahiTefahot.nh (NEW) il.co.yahav.mobbanking (NEW) Japan List jp.co.smbc.direct jp.japanpost.post.postbox.android jp.co.aeonbank.android.passbook com.kakaobank.channel com.feib.appbank com.ubs.swidKXJ.android com.willmobile.mobilebank.fcb com.mtel.androidbea jp.co.jcb.my jp.co.netbk jp.co.rakuten_bank.rakutenbank jp.co.nttdata jp.ne.paypay.android.app jp.auone.wallet cc.bitbank.bitbank com.quoine.quoinex.light jp.coincheck.android Modern mobile malware for example “MetaDroid”, has an advanced implementation of WEB-injects aimed towards banking platforms, and may use several injects simultaneously. Below is an example of 5 victims using mobile devices under Android OS from China, Finland, Netherlands, France and United States with collected credentials from popular services. https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 46 of 48 Once the victim has been successfully infected and credentials have been delivered to a C2C Server, mobile malware enabled operators execute various commands to manage the victim and to perform actions on their devices for further successful theft (“Get SMS list”, “Send SMS” or “Forward Call”, for example:- when interacting with the bank’s validation systems to confirm transaction or OTP code). This set of commands may vary depending on the mobile banking malware family. Bots like ERMAC have functions to manage WEB-injects from C2C server (“Injections” – on the screenshot below): https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 47 of 48 Significance There is no doubt, “In The Box” may be called the largest and probably the only one in its marketplace category providing high-quality webinjects for popular types of mobile malware. It is expected cybercriminals will continue to upgrade their tools to attack consumers, and will start developing more advanced webinjects as well. For today, "In the Box" is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment systems, social media and online-retailers in 43 countries. Source: https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace Page 48 of 48 https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace The majority of high-demand injects is related to payment services including digital banking and cryptocurrency exchangers. During November 2022 the actor arranged a significant update of close to 144 injects improving their visual design. Page 5 of 48