Recently, researchers identified an Android application used for phishing campaigns targeting specific Japanese telecommunication services clients.
In an ever-growing interconnected environment of the internet, telecommunication is the primary tool to connect with anyone anywhere globally. We all rely on the telecommunication industry to make emails, messages, phone calls, and video calls. This is also shown in different businesses, infrastructure, and workplaces that rely on these telecom services’ services.
The telecom’s universality, mixed with our dependence on them, makes telecom providers a primary target for any malicious cyber threat actors. Therefore, what makes it so appealing to cybercriminals, is the abundant number of customers subscribing to the services given by these companies.
A perfect example of threats that might affect telecom customers is infecting their mobile devices with ransomware to exploit payment services and gathering confidential information.
How did the fake Android app steal the Japanese telecom customer’s information?
According to the research conducted by the authorities, attackers formed multiple domains to distribute fake copies of a particular Japanese telecommunication provider’s Android app. The malware-laced faked app then steals customers’ credentials and several session cookies.
To be more specific, the researchers discovered 2,900 credentials and cookies for over 700 Android devices and 2,000 for iOS stolen during a single session of this campaign.
Before any of the methods mentioned above to be processed, the faulty app first asks for permission to allow the threat actors to obtain information regarding the internet connection linked to the device.
How does the infecting malware in the fake application function?
When the malicious application is installed, it requests the users to connect to the cellular network and turn off the wireless fidelity. After that, the application opens to the telecommunication payment service’s official website.
The log-in is a PIN given to the clients when the subscription is verified. If a subscriber must validate their identity or change some of the settings, they use the PIN. The application portrays the official payments URL in WebView to bait the victims and disguise malicious strings to negate reverse engineering and malware detection.
After a successful information heist, it is sent to an email owned by the threat actors via Simple Mail Transfer Protocol.
What is the take-away?
Imitating an official application of any known software used for everyday transactions is a common yet effective strategy for phishing campaigns.
In addition, the threat actors operating the malicious fake Android applications are using various techniques to remain hidden from any security measures.
That is why the recommended strategy to avoid the risk of being infected is never to download apps from unknown third-party app stores and only use the official store.
