Reading Time: 3 minutes

Fake shopping apps are being distributed by hackers to steal the banking data of Malaysian users, according to ESET, a cybersecurity firm. 

The cybersecurity firm in its report confirmed the attacks involved setting up fraudulent, though legitimate-looking websites to lure users into downloading the apps. 

The dummy website mimicked cleaning services such as Maid4u, Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy, and MaidACall and a pet store named PetsMore that cater to the Malaysian population. 

The reports stated, “The threat actors use these fake e-shop applications to phish for banking credentials. The apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank.”Fake Shopping Apps Distributed by Hackers to Steal Banking Data of Malaysian Users-3The banks targeted by the hackers include Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.

The hackers managed to share Facebook ads via the website, to lure visitors into downloading the Android apps. The hackers claimed the app is legit and available on Google Play Store, though it redirected users to rogue servers managed by them.Fake Shopping Apps Distributed by Hackers to Steal Banking Data of Malaysian Users-2The success of the attack requires potential victims to enable the non-default “Install unknown apps” option on their devices. Interestingly the five abused services don’t even have an app on Google Play.

Once the victims install the app they are prompted to sign in, enabling them to place fake orders after which an option to complete the checkout process appears, including a fund transfer from their bank accounts.

ESET malware researcher Lukáš Štefanko said, “After picking the direct transfer option, victims are presented [with] a fake FPX payment page and asked to choose their bank out of the eight Malaysian banks provided, and then enter their credentials.” Fake Shopping Apps Distributed by Hackers to Steal Banking Data of Malaysian Users-1The hacker’s main intention is to steal the banking data of the users and exfiltrate it to the servers managed by them. Simultaneously they manage to display an error message that says the entered user ID or password is invalid.

Additionally, the fake apps are designed to access and transmit all SMS messages received by the users to the remote server in the event the bank accounts are secured by two-factor authentication.

On a concluding note, Štefanko said,c “While the campaign targets Malaysia exclusively, for now, it might expand to other countries and banks later on. At this time, the attackers are after banking credentials, but they may also enable the theft of credit card information in the future.”

Related Articles:
Russian Hydra Darknet Market Shut down in Germany – Bitcoins worth $25 Million seized
Apple Releases macOS, iOS, iPadOS patches for ‘exploited’ security bugs
IcedID Malware Used By Hackers On Compromised Microsoft Exchange Servers To Spam Out Emails