Phishing goes mobile with cloned banking app into Google Play

Security experts at Lookout mobile security discovered a phishing campaign against an Israeli bank based which exploited a cloned mobile application.

Cloned mobile applications are increasily used as an attack vector for by bad actors, malicious code could be used to steal information, as an essential part of an extortion scheme or for fraudulent activities such as dialing premium numbers. A recent report issued by the mobile security company Lookout revealed that cloned banking app is targeting clients of a popular Israeli bank, the Mizrahi bank. The malicious app is a clone of legitimate Mizrahi Bank’s Android application and was available on the official Google Play app store since it has been removed.

“We alerted Google to the issue, which immediately removed the app. All Lookout users are protected from this app. The malware, called BankMirage, targets the customers of an Israeli bank called Mizrahi Bank. The authors put a wrapper around the bank’s legitimate app and redistributed it on the Google Play store, pretending to be the financial institution.”

The technique adopted by cyber criminals is consolidated, hackers have trojanized the legitimate app with BankMirage malware and redistributed it on the Google Play, but a particular has caught the attention of the experts at Lookout, which have noticed that the app targets the banking customer’s credentials as expected stealing only the user ID.

“Once the user ID is stored the app returns a message to the user saying that the login failed and to, instead, reinstall the legitimate banking app from the Play Store.”“Indeed, those whole built the malware inserted a comment into the code dictating that only the user ID be taken, not the passwords,” explains Meghan Kelly of Lookout.

This circumstance could reveal the real intent of the bad actors behind the BankMirage attacks, the attackers are collecting only user names probably because they want to use them in a spear phishing campaign later.

Likely, the attackers are collecting user names in order to phish customers of this particular bank later on for their credentials or authentication tokens, though it’s not clear why they didn’t do so with the mobile app.

“Once a victim opens the app, the malware loads the login form, which is an in-app html page that has been changed to siphon off the victim’s user ID’s as they enter their credentials. It’s effectively a phishing attack,” “Once the user ID is stored the app returns a message to the user saying that the login failed and to, instead, reinstall the legitimate banking app from the Play Store.” Kelly added.

The distribution of malicious apps via the official Google Play makes very effective and dangerous the operations conducted by cyber criminals, exploitation of trusted channels advantages large diffusion of mobile malware. Lookout invited mobile users to carefully review the apps they download checking developer’s reputation and suggest to disable the use of ‘Unknown sources’ for download to prevent dropped or drive-by-download app installs.

“You can, however, go on some instincts. For example, if you see a duplicate of the app you’re trying to download, one might not be legitimate. You can otherwise keep yourself safe by installing an app-scanning security solution on your phone, such as Lookout.” reports Lookout

Banking malware is a profitable sector for cybercrime, the experts observed a constant growth on a global scale, especially in the EU and Asia Pacific.

The experts have no doubts, the cyber criminals will intensify the illicit activities against financial institutions and mobile platform is a privileged attack vector.

Pierluigi Paganini

(Security Affairs –  phishing, mobile)