Recently, a fake malicious Android app impersonating a housekeeping service stole online banking credentials from clients of eight banking institutions based in Malaysia. The app was endorsed to the public by its operators through various phoney websites and social media pages to install the malicious APK known as “Cleaning Service Malaysia.”
A cybersecurity firm discovered the malicious app and was able to analyze it to provide the full rundown of how the fake app operates.
When the app is successfully installed on the target’s device, the owners are instructed to approve 24 types of permissions, including the ‘RECEIVE_SMS’ accessibility, allowing the app operator to read all text messages received by the device. The allowed accessibility would be taken advantage of by the threat actors to monitor SMS texts which will also be the vector in acquiring one-time passwords and MFA codes utilised in different mobile banking services.
Once the fake Android app is launched to the user’s device, it will display a blank form that will request the user to reserve a fake home cleaning schedule.
Moreover, suppose the users enter their cleaning service details like name, home address, and contact information on the malicious app, the threat actors will request them to pick a payment method. This process offers various payment methods via multiple banking institutions in Malaysia and online banking options. Then, if the victim selects one of the payment options, they will be redirected to a login page that impersonates the layout of the authentic selected bank.
The impersonated banking webpage is hosted on the threat operator’s infrastructure; however, it will be hard to identify if it is legit or not since the user interface is very identical.
Any banking credential that the victim will provide will be sent automatically to the threat actors. The hackers will then utilise these credentials to intercept SMS code containing the one-time password, which they will use to access the victim’s online banking account.
According to the analysis, few signs of fraud are present in the app’s social media accounts. The first sign of a scam is the small number of social media followers on their page. Another is how the social media page was newly created, a definite red flag. The instruction to allow the app for multiple permission is also a bit fishy since it does not even make sense to give a “home cleaning service app” access to SMS.
To mitigate the chances of being a victim of these kinds of attacks, users are advised to avoid downloading applications from third-party sources. Also, it is recommended to review and analyse any app they will download in the future to assess if the site is trustworthy or not. Users should also keep their devices updated by employing new security updates using any security solution.
