Undetected Android Trojan expands attack on Iranian banks


Security researchers have discovered the continuation and expansion of an Android mobile banking Trojan campaign targeting major Iranian banks.

Initially discovered in July 2023, the campaign has not only persisted, but also evolved with improved capabilities, according to a new report from Zimperium malware analysts Aazim Bill SE Yaswant and Vishnu Pratapagiri.

An earlier investigation by the company identified four groups of credential harvesting apps imitating major Iranian banks, circulating between December 2022 and May 2023. These apps could steal bank login details and card information credit, hide app icons to prevent uninstallation and intercept SMS. -Time Password Codes (OTP).

Zimperium’s latest findings, released today, include the identification of 245 new app variants associated with the same threat actors. Notably, 28 of these variants are not detected by industry standard analysis tools.

New iterations expand the campaign’s reach, targeting additional banks and revealing threat actors’ aspirations to expand further. The malware is now also demonstrating interest in collecting information on various cryptocurrency wallet applications, suggesting potential future targeting.

The second iteration of the malware also introduced never-before-seen features, such as abuse of accessibility services for overlay attacks, automatic granting of SMS permissions, uninstall prevention, and data exfiltration methods using GitHub repositories. The study also highlights vendor-specific attacks on Xiaomi and Samsung devices and potential interest in targeting iOS devices.

Learn more about similar threats: SpinOk Trojan Compromises 421 Million Android Devices

Yaswant and Pratapagiri highlighted the importance of visibility and runtime protection for mobile applications.

“It is clear that modern malware is becoming more sophisticated and its targets are expanding. Visibility and runtime protection are therefore crucial for mobile applications,” the researchers explained.

The Zimperium research article concludes with an invitation to explore Indicators of Compromise (IOCs) on their GitHub repository, providing a comprehensive list for security practitioners to strengthen defenses against this evolving threat.

Leave a comment