Connect with us

Apps

How to Stay Safe From Fake Finance Apps on Google Play

Published

on

Written by Lukas Stefanko, Malware Researcher at ESET

Another set of fake finance apps has found its way into the official Google Play store. This time, the apps have impersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland, and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the impersonated legitimate services.

Figure 1 – Six of the malicious apps found on Google Play

The malicious fakes were uploaded to Google Play in June 2018 and were installed more than a thousand times before being taken down by Google. The apps were uploaded under different developer names, each using a different guise, however, code similarities suggest the apps are the work of a single attacker. The apps use obfuscation, which might have contributed to their slipping into the store undetected.

The sole purpose of these malicious apps is to obtain sensitive information from unsuspecting users. Some of the apps take advantage of the absence of an official mobile app for the targeted service (such as Bitpanda), while others attempt to fool users by impersonating existing official apps. The full list of targeted banks and services can be found at the end of this article.

How do the apps operate?
While the apps don’t follow one common procedure, upon launch they all display forms requesting credit card details and/or login credentials to the targeted bank or service (examples can be seen in Figure 2). If users fill out such a form, the submitted data is sent to the attacker’s server. The apps then present their victims with a “Congratulations” or “Thank you” message (an example can be seen in Figure 3), which is where their functionality ends.

Figure 2 – Bogus forms phishing for credit card details and internet banking login credentials

 

Figure 3 – Final screen displayed by one of the malicious apps

How to stay safe
If you suspect that you have installed and used one of these malicious apps, we advise you to uninstall them immediately.

Also, change your credit card pin codes as well as internet banking passwords and check your bank accounts for suspicious activity. If there have been unusual transactions, contact your bank. Users of the Bitpanda cryptocurrency exchange who think they have installed the fake mobile app are advised to check their accounts for suspicious activity and change their passwords.

To avoid falling victim to phishing and other fake financial apps, we recommend that you:

  • Only trust mobile banking and other finance apps if they are linked from the official website of your bank or the financial service
  • Only download apps from Google Play; this does not ensure the app is not malicious, but apps like these are much more common on third-party app stores and are rarely removed once uncovered, unlike on Google Play
  • Pay attention to the number of downloads, app ratings and reviews when downloading apps from Google Play
  • Only enter your sensitive information into online forms if you are sure of their security and legitimacy
  • Keep your Android device updated and use a reliable mobile security solution; ESET products detect and block these malicious apps as Android/Spy.Banker.AIF, Android/Spy.Banker.AIE and Android/Spy.Banker.AIP

Targeted banks and services

Australia and New Zealand

Commonwealth Bank of Australia (CommBank)
The Australia and New Zealand Banking Group Limited (ANZ)
ASB Bank

The United Kingdom
TSB Bank

Switzerland
PostFinance

Poland
Bank Zachodni WBK (renamed to Santander Bank Polska SA in September 2018)

Austria
Bitpanda

IoCs

Package name Hash Detection
cw.cwnbm.mobile 651A3734103472297A2C65C81757FB5820AD2AB7 Android/Spy.Banker.AIF
au.money.go DE09F03C401141BEB05F229515ABB64811DDB853 Android/Spy.Banker.AIF
asb.ezy.pay B6D70983C28B8A0059B454065D599B4E18E8097C Android/Spy.Banker.AIF
uk.mobile.tsb 91692607FB529218ADF00F256D5D1862DF90DAAF Android/Spy.Banker.AIF
ch.post.finance FE1B2799B65D36F19484930FAF0DA17A0DBE9868 Android/Spy.Banker.AIF
pl.mblzch C43E7A28E1B807225F1E188C6DA51D24DCC54F5F Android/Spy.Banker.AIE
www.bit.panda 7D80158C8C893E46DC15E6D92ED2FECFDB12BF9F Android/Spy.Banker.AIP

 

Click to comment

Leave a Reply

Your email address will not be published.

Apps

Free Fire to Celebrate 5th Anniversary with Justin Bieber

Published

on

Free Fire’s 5th-anniversary celebrations are off to an exciting start as it launches a spectacular 5-part extravaganza to delight fans and players. The festivities are set to culminate on 27 August with several in-game content drops involving global icon Justin Bieber, who is headlining this special anniversary collaboration. The Free Fire community can revel and reminisce iconic anniversary celebrations over the years with the weekly rollout of 5 specially-designed chapters – Battle, Style, Map, Hero and Memory. Experience new in-game events, gain exclusive rewards, and enjoy Free Fire like never before. 

Free Fire will host its first ever in-game performance on 27 August, with Justin Bieber set to debut an exclusive track “Beautiful Love (Free Fire)” as part of the 5th-anniversary celebrations. Players can look forward to immersing themselves in an interactive set-up, groove along to custom emotes, participate in minigames and potentially even perform with Justin Bieber’s avatar on stage. A permanent in-game character modelled after Justin Bieber will also be unveiled and distributed to all players.

To commemorate this unique celebration, Free Fire will also give away the highly coveted Magic Cube to players, allowing them to easily redeem their favourite exclusive costume bundles and battle in style. Players will be able to try their hand at various daily and time-limited missions, accumulating tokens which can be swapped for exclusive rewards in the exchange store. With iconic costumes and classic guns available to unlock during these missions, players can expect a nostalgic and exciting experience every day.

Expansive, dynamic maps are iconic features of Free Fire and players can look forward to the release of a new map Nexterra, which has been enhanced with various elements to elevate and diversify the battle experience for players. There will also be new game modes for players to explore, including:

  • A new limited-time mode Free For All. Set against the backdrop of El Pastelo, it will simulate intense close combat point-based matches where up to 16 players will battle it out. Players will be able to select their own weapons and can obtain points by eliminating other players. Matches will be decided by the first player to accumulate a predetermined amount of points.
  • An exclusive 5th-anniversary mode Droid Apocalypse, which will see 12 players compete in each match, vying to become the ultimate droid. Players will get to select their own type of droid and convert as many humans as possible before the timer runs out. When only a predetermined number of humans remain, they will transform into hunters and have enhanced stats, as well as the ability to permanently eliminate droids. Points can be gained based on performance and the player with the most points after three rounds will win the match.
Continue Reading

Apps

New Malicious Campaign Hunts Discord Messenger Users

Published

on

On July 26, using the internal automated system for monitoring open-source repositories, Kaspersky researchers identified a malicious campaign dubbed LofyLife. The campaign employed 4 malicious packages spreading Volt Stealer and Lofy Stealer malware in the open-source npm repository to gather various information from victims, including Discord tokens and credit card information, and to spy on them over time.

The npm repository is a public collection of open-source code packages widely used in front-end web apps, mobile apps, robots and routers, and also to serve countless needs of the JavaScript community. Its popularity makes the LofyLife campaign even more dangerous, as it could potentially have affected numerous users of the repository.

The identified malicious repositories appeared to be packages used for ordinary tasks such as formatting headlines or certain gaming functions, however, they contained highly obfuscated malicious JavaScript and Python code. This made them harder to analyze when being uploaded to the repository. The malicious payload consisted of malware written in Python dubbed Volt Stealer, and a JavaScript malware dubbed Lofy Stealer, which possesses numerous features.

Volt Stealer was used to stealing Discord tokens from the infected machines along with the victim’s IP address and upload them via HTTP. The Lofy Stealer, a new development from the attackers, is able to infect Discord client files and monitor the victim’s actions – detecting when a user logs in, changes email or password details, enables or disables multi-factor authentication and adds new payment methods, including full credit card details. Collected information is also uploaded to the remote endpoint.

“Developers rely heavily on open-source code repositories – they use them to make IT-solution developments faster and more efficient and significantly contribute to the development of the IT industry as a whole. As the LofyLife campaign shows, however, even reputable repositories cannot be trusted by default – all code, including open-source code, that a developer injects into his products becomes their own responsibility. We’ve added detections of this malware to our products, so users who run our solutions will be able to identify whether they have been infected and remove the malware,” comments Leonid Bezvershenko, a security researcher at Kaspersky’s Global Research and Analysis Team.

Continue Reading

Apps

Battlegrounds Mobile India (BGMI) Removed From Google Play Store and Apple App Store in India

Published

on

India blocked a popular battle-royale format game from Krafton Inc, a South Korean company backed by China’s Tencent, using a law it has invoked since 2020 to ban Chinese apps on national security concerns, a source said. Battlegrounds Mobile India (BGMI) was removed from Google Play Store and Apple’s App Store as of Thursday evening in India.

The removal of BGMI, which had more than 100 million users in India, comes after India’s 2020 ban of another Krafton title, PlayerUnknown’s Battlegrounds (PUBG). The PUBG crackdown was part of New Delhi’s ban of more than 100 mobile apps of Chinese origins, following a months-long border standoff between the nuclear-armed rivals.

The ban has expanded since to cover more than 300 apps, including popular gaming app ‘Free Fire’, owned by Singapore’s technology group Sea Ltd. Tencent held a 13.5% stake in Krafton as of end-March through an investment vehicle, according to Krafton’s regulatory filing.

Krafton shares slumped more than 9% on the news on Friday, later paring losses to trade down 4.5% as of afternoon trade in Seoul. The company said in May India accounted for a high single-digit percentage of its revenue in the first quarter of this year.

According to news reports, a Google spokesperson said it blocked the game following a government directive. In Seoul, a Krafton spokesperson said the developer was talking to relevant authorities and companies to figure out the exact situation regarding the suspension in the two major app stores in India.

Continue Reading
Advertisement
Advertisement
Advertisement
Advertisement

Latest Reviews

Follow us on Facebook