Security researchers have revealed the continuation and expansion of an Android Mobile Banking Trojan campaign on large Iranian banks.
Initially discovered in July 2023, the campaign was not only sustained, but also evolved with improved possibilities, according to a new report from Zimperium Malware analysts Aazim Bill SE Yaswant and Vishnu Pratapagiri.
An earlier investigation by the company identified four clusters of login data that imitates Apps apps that simulate large Iranian banks, circulate between December 2022 and May 2023. These apps can steal banking and credit card information, hide icons to prevent no SMS for one-time password (OTP) codes.
The latest findings from Zimperium, which were published today, include the identification of 245 new app variants related to the same threat factors. It is remarkable that 28 of these variants are not detected by scanning aids in the industry.
The new iterations are expanding the range of the campaign, focus on extra banks and reveal the ambitions of the threat factors to further expand. The malware now also shows an interest in collecting information about different cryptocurrency wallet applications, which suggests that potential future targeting.
The second iteration of the malware also introduced unseen possibilities, such as the abuse of accessibility services for overlay attacks, automatic granting of SMS permissions, prevention of removal and data output methods using Github repositories. The research also underlines supplier-specific attacks on Xiaomi and Samsung devices and a potential interest in focusing iOS devices.
Read more about similar threats: Spinok Trojan compromises 421 million Android devices
Yaswant and Pratapagiri emphasized the importance of visibility and protection of runtime for mobile applications.
“It is clear that modern malware is becoming more advanced and goals are being expanded, so the visibility and protection of runtime are crucial for mobile applications,” the researchers explained.
The Zimperium Research article is concluded with an invitation to explore Indicators of Compromis (IOCS) on their Github repository, and offers an extensive list for security practitioners to strengthen the defense against this evolving threat.