Cybercriminals expand targeting of Iranian bank customers with known mobile malware


Researchers have discovered more than 200 fake mobile apps imitating major Iranian banks to steal information from their customers.

The campaign was discovered for the first time in July this year, but since then, cybercriminals have expanded their capabilitiesaccording to the American cybersecurity company Zimperium.

Initially, the campaigner created 40 credential harvesting apps imitating four major Iranian banks, including Bank Mellat, Bank Saderat, Bank Resalat, and the Central Bank of Iran.

These apps imitated legitimate versions found on the popular Iranian marketplace Cafe Bazaar and were distributed through several phishing websites. The first campaign lasted from December 2022 to May 2023.

As part of the ongoing campaign detected by Zimperium, hackers have created malicious applications that now impersonate 12 Iranian banks. Once installed, these apps also scan victims’ phones for cryptocurrency wallet apps – an indication that they could be targeted in the future, the researchers said.

Previous versions of fake apps could steal banking login credentials and credit card information, intercept SMS traffic to steal one-time passwords used for authentication, and hide app icons to prevent uninstallation.

In a new campaign, hackers have added more features to their malware to make credential harvesting and data theft easier. Hackers also focused on Xiaomi and Samsung devices to execute certain functionality of the malware, according to the report.

Other evidence suggests that attackers are likely now working on a malware variant targeting iOS devices, the researchers said.

In addition to malicious apps, the same threat actor is linked to phishing attacks targeting customers of the same banks. “The phishing campaigns used are sophisticated and attempt to imitate the original sites down to the smallest detail,” the researchers said. Data stolen by phishing sites is sent to Telegram channels controlled by hackers.

It is not yet clear which threat actor is behind this campaign and how many users were affected by it.

Last week, Microsoft researchers discovered a similar information theft campaign targeting Indian banking customers with mobile malware. Cybercriminals behind this campaign trick users into installing fraudulent banking apps on their devices by pretending to be legitimate organizations, such as financial institutions, government departments, and utilities.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Daryna Antoniuk is a freelance journalist for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the Ukraine-Russia cyberwar. She was previously a tech journalist for Forbes Ukraine. His work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.

Leave a comment