Security analysts have recently uncovered an ongoing Android mobile banking Trojan campaign that is specifically targeting major Iranian banks. This campaign, which was first discovered in July 2023, has not only continued to persist but has also evolved with improved capabilities, as detailed in a recent report by Zimperium malware researchers Aazim Bill SE Yaswant and Vishnu Pratapagiri.
In their initial investigation, Zimperium identified four clusters of credential-harvesting apps that were masquerading as popular Iranian banks. These malicious apps were in circulation between December 2022 and May 2023, and were designed to steal sensitive banking login credentials and credit card information. Additionally, these apps had the ability to hide their icons to evade detection, as well as intercept SMS messages containing one-time password (OTP) codes.
The latest findings from Zimperium reveal the discovery of 245 new variants of these malicious apps, all linked to the same threat actors. Alarmingly, 28 of these new variants are able to evade detection by traditional scanning tools. This expansion of the campaign indicates a growing focus on targeting additional banks, as well as a potential interest in collecting information from cryptocurrency wallet applications.
Furthermore, the updated malware now incorporates new functionalities, including the use of accessibility services for overlay attacks, automatic granting of SMS permissions, resistance to uninstallation, and data exfiltration techniques utilizing GitHub repositories. The researchers also uncovered vendor-specific attacks on Xiaomi and Samsung devices, as well as indications of a future interest in targeting iOS devices.
Yaswant and Pratapagiri stress the importance of runtime visibility and protection for mobile applications in light of these sophisticated threats. They emphasize that as malware continues to evolve and expand its targets, having robust runtime protection is essential for safeguarding sensitive information.
To assist security practitioners in defending against this evolving threat, Zimperium has provided a comprehensive list of Indicators of Compromise (IOCs) on their GitHub repository. This resource serves as a valuable tool for organizations looking to enhance their defenses against this ongoing Android banking Trojan campaign.
As the threat landscape continues to evolve, staying vigilant and utilizing advanced security measures is crucial to protect against malicious actors seeking to exploit vulnerabilities in mobile applications.