Undetected Android Trojan Expands Attack on Iranian Banks

Written by

Security researchers have uncovered the continuation and expansion of an Android mobile banking Trojan campaign targeting major Iranian banks. 

Initially discovered in July 2023, the campaign has not only persisted but has also evolved with enhanced capabilities, according to a new report by Zimperium malware analysts Aazim Bill SE Yaswant and Vishnu Pratapagiri.

A prior investigation by the firm identified four clusters of credential-harvesting apps mimicking major Iranian banks, circulating between December 2022 and May 2023. These apps could steal banking login credentials and credit card information, hide app icons to prevent uninstallation and intercept SMS for one-time password (OTP) codes.

Zimperium’s latest findings, published today, include the identification of 245 new app variants associated with the same threat actors. Notably, 28 of these variants remain undetected by industry-standard scanning tools. 

The new iterations extend the campaign’s reach, targeting additional banks and revealing the threat actors’ aspirations to expand further. The malware now also demonstrates an interest in collecting information about various cryptocurrency wallet applications, suggesting potential future targeting.

The second iteration of the malware also introduced unseen capabilities, such as the abuse of accessibility services for overlay attacks, auto-granting of SMS permissions, prevention of uninstallation and data exfiltration methods using GitHub repositories. The research also underscores vendor-specific attacks on Xiaomi and Samsung devices and a potential interest in targeting iOS devices.

Read more on similar threats: SpinOk Trojan Compromises 421 Million Android Devices

Yaswant and Pratapagiri emphasized the importance of runtime visibility and protection for mobile applications.

“It is evident that modern malware is becoming more sophisticated, and targets are expanding, so runtime visibility and protection are crucial for mobile applications,” the researchers explained.

The Zimperium research article concludes with an invitation to explore Indicators of Compromise (IOCs) on their GitHub repository, providing a comprehensive list for security practitioners to bolster defenses against this evolving threat.

What’s hot on Infosecurity Magazine?