Fraudulent, yet legitimate-appearing websites have been a favorite of cybercriminals for years now. These traps are using to lure in victims, making it appear that they are visiting a real website, when they've simply been snared by hackers into downloading malware.
Recently, however, cybercriminals have put a new spin on this trend in an attempt to widen the scope of infection. Fake mobile applications have been seen increasingly often by security researchers, serving a similar purpose as the fraudulent websites seen in the past.
The Trend Micro team uncovered one cybercriminal campaign in particular that hinges upon the use of a fake Android banking app to lure victims and steal profits. Today, we'll investigate this malicious trend and examine how the fake app perpetuates cybercriminal activity.
Fake apps seen in Korean cybercrime scam
This campaign was first discovered in 2014 when Trend Micro researchers were examining the Chinese underground market, Trend Micro reported in a white paper. Researchers found that a group of cybercriminals was leveraging several fake mobile apps in order to attract, trick and steal from their victims.
According to a Trend Micro blog post, the campaign included fake apps as well as social engineering tactics to encourage users to execute malware on their mobile devices. Cybercriminals developed fake banking apps, which appeared as legitimate applications to users. In addition, the group also used popular porn apps – complete with salacious icons and names – to mask their malicious activities.
Once downloaded onto a victim's device, these apps had the ability to snoop and steal a range of sensitive information from the mobile endpoint, including the user's phone number, account name and other details as well as login credentials and text messages. All this information is sent to the group's command-and-control server, where hackers were able to access it.
As opposed to attempting to get these illegitimate Android apps approved by the Google Play Store, hackers simply side-stepped the app store completely. Instead, cybercriminals lured their victims into using the fake apps through malicious text messages or after they were downloaded onto a device by other malware.
While fake banking apps appeared to be the most-used in the attacks, researchers uncovered other fake apps used by the group as well. This included apps that appeared to users as popular Google Play, Search and Adobe Flash Player programs. Overall, Trend Micro discovered just over 1,000 fake versions of Google apps, the majority of which were Google Play imposters. Researchers also found a fake app called "The Interview," which shared the name with a popular movie. However, the Google impersonators were the payload for cybercriminals.
"Cybercriminals spoofed Google apps since these usually come preinstalled on every Android mobile device," Trend Micro noted in the blog post.
In this way, a fake Google app might go unnoticed by victims, particularly when it was downloaded to the device by another malware infection.
The group behind the attacks: Yanbian Gang
During their investigation of the Chinese underground market, researchers uncovered the group responsible for the rash of fake application attacks. This organization of hackers was active in a more remote part of the country known as the Yanbian Prefecture in Jilin, China, and researchers thus dubbed the group the Yanbian Gang.
According to Trend Micro's white paper, "The South Korean Faking Banking App Scam," the gang is comprised of four key roles: the organization, translator, cowboy and malware creator. Each of these roles can be broken down by specific responsibilities:
- The Organizer is "the founding father of the gang," Trend Micro noted. This person scouts, recruits new members, and is considerably experienced with the business of cybercrime so that he can better pinpoint individuals who would be beneficial additions to the group. Although other members typically do not know each or communicate with one another, everyone remains in contact with the organizer.
- Translators ensure that messages and other information is translated to the local language, depending upon the target area. For instance, victims in many of the attacks spoke Korean, so translators had to create Korean text messages and user interfaces.
- Cowboys are on the ground in the same country as attack victims. These individuals are responsible for collecting any profits and transmitting them to the organizer.
- Malware creators develop the malicious applications or platform used in the attacks. This role is likely the most important in the group.
How does infection take place?
Each type of fake application had its own strategy for infection. The fraudulent mobile banking apps, for example, copied much of the legitimate app so that users would not realize they weren't using the real thing. For instance, the group created fake apps to mimic those of Shinhan Bank, NH Bank, Hana Bank, Kookmin Bank and Woori Bank. Overall, 17 banks were targeted in the attacks.
The Android malware utilized BroadcastReciever functions to launch background services, monitor currently running apps and even replace the legitimate app with the fake one. These malicious programs also enabled hackers to hijack banking sessions, and intercept any text messages sent to the infected device from the victim's real bank. After inception, these were uploaded to the cybercriminals' command-and-control server along with any other stolen details.
In addition to fake versions of popular apps like Google, pornography apps and banking apps, the group also utilized apps including those appearing to belong to utility and security providers.
The campaign, which took place over several years, enabled the Yanbian gang to make off with considerable profits for their malicious efforts.
"Together, the gang's members have been targeting the mobile banking customers of at least five banks in South Korea since 2013, earning them millions in profit," Trend Micro stated.
Users in this region can make efforts to protect themselves from this threat. Trend Micro noted that awareness of the attacks is the first step. Banks in the area should keep a close eye on developing trends associated with potential attacks, and make their customers aware of any suspicious activity.