Today we’re releasing our research paper on the operations of the Yanbian Gang—a Chinese cybercriminal group that use mobile malware to siphon off money from account holders of South Korean banks. They are able to transfer up to US$1,600 worth of local currency from victims’ accounts every single day since 2013.
This investigation is the result of our continuous monitoring of the threat landscape. We are always on the lookout for new threats, and the Chinese underground is a particularly active source of these problems. In particular, many mobile threats are found to have been from the larger Chinese underground market.
The Tools Behind the Theft
This group, dubbed the “Yanbian Gang,” has successfully been siphoning millions from their victims’ accounts since 2013. The group used a variety of Android malware for their schemes.
- Fake banking apps: In our research, we saw fake versions of apps of five South Korean banks—KB Kookmin Bank, NH Bank, Hana Bank, Shinhan Bank, and Woori Bank. These apps steal user information and credentials. They also have the ability to uninstall and take the place of the real apps they are spoofing. This allows them to run undetected while obtaining what they are after—victims’ personal account credentials that translate to financial gain for the fake apps’ operators.
- Apps that hijack banking sessions: They mimic their targets’ icons to dupe bank customers into thinking they are the real thing. The fake app’s UI then logs all of the affected user’s inputs—account number, user name, password, and other personally identifiable information (PII).
- Fake versions of popular apps: The Yanbian Gang also created fake versions of apps that are popular with Android users. Examples of these are the Google Play and Search and the Adobe® Flash® Player as well as porn apps. The fake apps download and install other malicious apps, delete files and folders, record text messages, take photos, steal files, and others, depending on what their creators want them to do.
The group used fake Internet Police apps to victimize South Korean users. Potential victims received SMS phishing messages that scared them with supposed investigations if they did not click a given link. When clicked, however, the link installed a malicious app in their devices.
For recruitment, communication and coordination, the group used QQ Chat, a popular Chinese instant messaging service. We noted in 2013 that QQ was rapidly becoming the mode of communication for cybercrooks in China. In our report, The Chinese Underground in 2013, we revealed that the number of messages showed that the amount of underground activity in China doubled in the last 10 months of 2013 compared with the same period in 2012.
For more details, on how Yanbian Gang conducts their operations, read our Trend Micro research paper, The Yanbian Gang: Using Mobile Threats to Go after South Korean Targets.
Existing Trend Micro products like Trend Micro Mobile Security are able to detect these apps before they are installed onto user devices, protecting them attacks of this nature.