# Fake e‑shops on the prowl for banking credentials using Android malware **welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/** ESET researchers analyzed three malicious applications targeting customers of eight Malaysian banks [Lukas Stefanko](https://www.welivesecurity.com/author/lstefanko/) 6 Apr 2022 - 11:30AM ESET researchers analyzed three malicious applications targeting customers of eight Malaysian banks April 6, 2022 The popularity of online shopping has been growing during the past few years, a trend accelerated by the pandemic. To make this already convenient way of never having to leave the couch to buy new things even more convenient, people are increasingly using their smartphones [instead of computers to shop: in Q1 2021, smartphones accounted for 69% of all retail website visits worldwide, and smartphone purchases](https://www.statista.com/statistics/568684/e-commerce-website-visit-and-orders-by-device/) [made up 57% of online shopping orders. A noteworthy aspect of buying goods and services via a mobile device is that 53% of smartphone](https://buildfire.com/mobile-ecommerce-statistics-data/) users do it from vendor-specific applications. Seeking the opportunity to make a profit off this behavior, cybercriminals exploit it by tricking eager shoppers into downloading malicious applications. In an ongoing campaign targeting the customers of eight Malaysian banks, threat actors are trying to steal banking credentials by using fake websites that pose as legitimate services, sometimes outright copying the original. These websites use similar domain names to the services they are impersonating the better to attract unsuspecting victims. ## Campaign overview [This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed](https://ringgitplus.com/en/blog/personal-finance-news/latest-phishing-scam-hides-within-an-app-and-is-disturbingly-sophisticated.html) through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared _[three](https://twitter.com/malwrhunterteam/status/1478371743760793605)_ _[more](https://twitter.com/malwrhunterteam/status/1478079926800637958)_ _[malicious websites and Android trojans attributed to this campaign.](https://twitter.com/malwrhunterteam/status/1478090631578890247)_ ----- O top o t at, S esea c e s ou d ou o e a e ebs tes se e ebs tes pe so ated se ces t at a e o y a a ab e Malaysia: six of them, Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, offer cleaning services, and the seventh is a pet store named PetsMore. The side-by-side comparison of the legitimate and copycat versions of Grabmaid and PetsMore can be seen in Figures 1 and 2, respectively. ----- _Figure 1. Grabmaid: legitimate website on the left, copycat on the right_ ----- ----- _Figure 2. PetsMore: legitimate website on the left, copycat on the right_ The copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from Google Play. However, clicking these buttons does not actually lead to the Google Play store, but to servers under the threat actors’ control. To succeed, this attack requires the intended victims to enable the non-default “Install unknown apps” option on their devices. Interestingly, five of the seven legitimate versions of these services do not even have an app available on Google Play. To appear legitimate, the applications ask the users to sign in after starting them up; there is however no account validation on the server side – the software takes any input from the user and always declares it correct. Keeping up the appearance of an actual e-shop, the malicious applications pretend to offer goods and services for purchase while matching the interface of the original stores (see Figure 3 for a screenshot of the shopping cart in one of the malicious apps). When the time comes to pay for the order, the victims are presented with payment options – they can pay either by credit card or by transferring the required amount from their bank accounts. During our research, it was not possible to pick the credit card option. ----- _Figure 3. The shopping cart in a malicious application_ As we already mentioned, the goal of the malware operators is to obtain the banking credentials of their victims. After picking the direct transfer option, victims are presented a fake FPX payment page and asked to choose their bank out of the eight Malaysian banks provided, and then enter their credentials. The targeted banks are Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank, as seen in Figure 4. _Figure 4. Targeted banks_ After unfortunate victims submit their banking credentials, they receive an error message informing them that the user ID or password they provided was invalid (Figure 5). At this point, the entered credentials have been sent to the malware operators, as Figure 6 shows. ----- _Figure 5. Error message displayed to the victim after credentials are exfiltrated_ _Figure 6. Credentials being sent to the attacker’s server_ ----- o a e su e t e t eat acto s ca get to t e ct s ba accou ts, t e a e e s op app cat o s a so o a d a S S essages received by the victim to the operators in case they contain Two-Factor Authentication (2FA) codes sent by the bank (see Figure 7). _Figure 7. All received SMS messages are forwarded to the attacker’s server_ ## Malware description The observed malware is rather minimalistic: it is designed to request only one user permission, which is to read received SMS messages. Its goal is to phish for banking credentials and forward 2FA SMS messages from the compromised device to the operators. Lacking the functionality to remove SMS messages from the device, the malware cannot hide that somebody is trying to get into the victim’s bank account. So far, the malware has been targeting only Malaysia – both the e-shops it impersonates and the banks whose customers’ credentials it is after are Malaysian, and the prices in the applications are all displayed in the local currency, the Malaysian Ringgit. [One of the services impersonated in the campaign, MaidACall, has already warned its users of this fraudulent campaign via a Facebook post](https://www.facebook.com/MaidACall/posts/2066087886892366) (see Figure 8). The rest have not publicly commented on the issue yet. _Figure 8. Warning post by a service that was impersonated during the campaign_ We have found the same malicious code in all three analyzed applications, leading us to conclude that they can all be attributed to the same threat actor. ## Takeaways To protect yourself against this type of threat, first, try to ensure that you are using legitimate websites to shop: Verify if the website is secure, i.e., its URL begins with https://. Some browsers might even refuse to open non-HTTPS websites and explicitly warn users or provide an option to enable HTTPS-only mode. Be wary of clicking ads and do not follow paid search engine results: it is possible that they do not lead to the official website Apart from looking out for fake websites, here are some other useful tips to enjoy a safer online shopping experience on your smartphone: Pay attention to the source of applications you are downloading. Make sure that you are actually redirected to the Google Play store when getting an application Use software or hardware 2FA instead of SMS when possible Use mobile security solutions to detect harmful websites and malicious apps ## Conclusion The observed campaign is a fake e-shop scheme targeting the banking credentials of Android users in Malaysia. It exploits the popularity of using smartphones to shop online. Instead of phishing for banking credentials on websites, the threat actors have introduced Android applications into the chain of compromise, thus making sure they have access to 2FA SMS messages the victim is likely to receive. The scheme relies on using ads to lure potential victims into accessing copycat versions of legitimate websites. Once there, a fake Google Play download button directs them towards a malicious application distributed by the malware operators via a third-party site. ----- e t e ca pa g ta gets a ays a e c us e y o o, t g t e pa d to ot e cou t es a d ba s ate o t t s t e, t e attac e s a e after banking credentials, but they may also enable the theft of credit card information in the future. _For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com._ _ESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat_ _Intelligence page._ ## Indicators of compromise (IoCs) ### Samples **First seen** **MD5** **SHA-1** **SHA-256** 2022-01-04 CB66D916831DE128CCB2FCD458067A7D ABC7F3031BEC7CADD4384D49750665A1899FA3D4 9B4A0019E7743A46B49A 2022-02-23 8183862465529F6A46AED60E1B2EAE52 BEDDFE5A26811DCCCA7938D00686F8F745424F57 E949BAC52D39B6E207A 2022‑02‑08 B6845141EC0F4665A90FB16598F56FAC 1C984FB282253A64F11EE4576355C1D5EFBEE772 D1017952D1EF0CEEC6C 2022-01-03 43727320E8BF756FE18DB37483DAD0A0 E39C485F24D239867287DCD468FC813FDB5B7DB6 5F8A54D54E25400F52CE 2022‑02‑09 C51BC547A40034F4828C72F37F2F1F39 1D33F53E2E9268874944C2F52E31CCAF2BF46A93 D8BE8F7B8B224FCA2BB 2022-01-08 4BEC6A07E881DB1A950367BEB1702ADA 9A5A57BF49DBBEF2E66FEE98E5C97B0276D03D28 A5C7373BE95571418C41 2022-01-17 4FD6255562B2A29C974235FD21B8D110 BA78B1177C3E2A569A665611E7684BCEEAF2168F DFF93FD8F3BC26944962 2022-01-30 C7DCBD2B7F147A6450C62A8D67207465 0E910AD1C33BEF86C9FDBBE4654421398E694329 A091B15F008B117167A1 2021-10-09 71341FC2958E65D208F2770185C61D7A 5237D3FAE84BB5D611C80338CF02EB3793C30F02 4904C26E90DC4D18AD6 2021-12-13 CF3B20173330FEA53E911A229A38A4BC B42CD5EC736FCC0D51A1D05652631BE50C9456A0 6DB2D526C3310FAD6C8 ### Network **IP** **Provider** **First seen** **Details** 185.244.150[.]159 Dynadot 2022-01-20 19:36:29 token2[.]club Distribution website 194.195.211[.]26 Hostinger 2022-01-08 14:33:32 grabamaid-my[.]online Distribution website 172.67.177[.]79 Hostinger 2022-01-03 08:20:50 maidacalls[.]online Distribution website 172.67.205[.]26 Hostinger 2022-01-03 13:40:24 petsmore[.]online Distribution website 172.67.174[.]195 Hostinger 2022-02-23 00:45:06 cleangmy[.]site Distribution website N/A Hostinger 2022-01-24 17:40:14 my-maid4us[.]site Distribution website N/A Hostinger 2022-01-27 14:22:10 yourmaid[.]online Distribution website 194.195.211[.]26 Hostinger 2021-11-19 05:35:01 muapks[.]online C&C server 194.195.211[.]26 Hostinger 2021-11-19 05:23:22 grabsapks[.]online C&C server ----- **IP** **Provider** **First seen** **Details** 104.21.19[.]184 Hostinger 2022-01-20 03:47:48 grabmyapks90[.]online C&C server 104.21.29[.]168 Hostinger 2021-12-22 12:35:42 m4apks[.]online C&C server 172.67.208[.]54 Hostinger 2022-01-17 09:22:02 maid4uapks90[.]online C&C server 172.67.161[.]142 Hostinger 2022-01-22 06:42:37 grabmaidsapks80[.]online C&C server 2.57.90[.]16 Hostinger 2022-01-10 23:51:29 puapks[.]online C&C server 124.217.246[.]203 Hostinger 2021-09-15 03:50:28 124.217.246[.]203:8099 C&C server 172.67.166[.]180> Hostinger 2021-12-24 15:54:34 meapks[.]xyz C&C server ## MITRE ATT&CK techniques _[This table was built using version 10 of the ATT&CK framework.](https://attack.mitre.org/resources/versions/)_ **Tactic** **ID** **Name** **Description** Initial Access [T1444](https://attack.mitre.org/versions/v10/techniques/T1444) Masquerade as Legitimate Application Fake websites provide links to download malicious Android apps. [T1476](https://attack.mitre.org/versions/v10/techniques/T1476/) Deliver Malicious App via Other Means Malicious apps are delivered via direct download links behind fake Google Play buttons. Credential Access [T1411](https://attack.mitre.org/versions/v10/techniques/T1411/) Input Prompt Malware displays fake bank log in screens to harvest credentials. [T1412](https://attack.mitre.org/versions/v10/techniques/T1412/) Capture SMS Messages Malware captures received SMS messages so it has 2FA codes for bank logins. Collection [T1412](https://attack.mitre.org/versions/v10/techniques/T1412/) Capture SMS Messages Malware captures received SMS messages that might contain other interesting data besides 2FA codes for bank logins. Exfiltration [T1437](https://attack.mitre.org/versions/v10/techniques/T1437) Standard Application Layer Protocol Malicious code exfiltrates credentials and SMS messages over standard HTTPS protocol. 6 Apr 2022 - 11:30AM ### Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center ----- ### Newsletter Discussion -----