Yanbian Gang steals millions from mobile banking customers of South Korea

A Chinese hacking crew dubbed Yanbian Gang has siphoned data from mobile banking customers in South Korea during the past two years, according to a new report.

According to researchers at Trend Micro, the cybercriminals used fake banking apps having the same appearance (i.e. icons and user interface) of the legitimate mobile apps, to trick users. They also used other popular apps, such as utilities, chat, portal and security apps attract users into their scam and steal their mobile banking credentials.

These bogus mobile apps transferred stolen user information (i.e. mobile phone numbers, Bank account names, Bank account numbers, login credentials and Text messages) to the command and control servers.

The Yanbian Gang used several Android malware to infect mobile banking customers, none of the malware used by the gang was distributed through Google Play or third-party app stores. The Yanbian Gang has infected the victims by sending malicious text messages or downloading the malware component by other malicious code used to infect the mobile. The malware used by the Yanbian Gang was primarily remote access tools (RATs) that attackers used to gain complete control of the victims’ mobile device.

The list of malicious mobile apps used by the Yanbian Gang includes porn apps, the Google Play app and Adobe Flash Player. Researchers  from Trend Micro examined a total of 1,007 fake Google app versions, 994 of which were fake versions of the Google Play app, meanwhile the remaining 13 were fake versions of other Google apps.

“Google apps were most commonly spoofed to target South Korean bank customers. We took a look at a total of 1,007 fake Google app versions, 994 of which were fake versions of the Google Play app while the remaining 13 were fake versions of other Google apps. Cybercriminals most likely spoofed Google apps because they normally came preinstalled in every Android mobile device. The fake apps sported the Google apps’ icons, which were deleted after installation.” states the report published by TrendMicro. “The hackers used fake banking and other popular apps to victimize more than 4,000 South Korean Android mobile banking customers throughout 2013 and 2014,” according to a research report by Trend Micro. “They also used effective social engineering lures like “The Interview” to bait victims into installing their fake apps.”

The group was called Yanbian Gang because the name of the Chinese region the group is believed to operate in, the Yanbian Prefecture in Jilin.

Cybercriminal groups are usually composed of several members, each of them has a specific role in the gang. The Yanbian Gang, in particular, comprises the four major players:

• the cowboys, which are responsible for collecting the proceeds from successful attacks and passing them onto the organizer.
• the translators, which are responsible for localizes the threats.
• the malware creators, which develop the malware.
• the organizer, which synchronize the operations.

The experts believe that the group has stolen millions of dollars from mobile banking customers of at least five banks in South Korea since 2013.

“In our research, we saw fake versions of apps of five South Korean banks—KB Kookmin Bank, NH Bank, Hana Bank, Shinhan Bank, and Woori Bank. These apps steal user information and credentials,” Huang blogged. “They also have the ability to uninstall and take the place of the real apps they are spoofing. This allows them to run undetected while obtaining what they are after—victims’ personal account credentials that translate to financial gain for the fake apps’ operators.” explained the researchers at Trend Micro.

One of the attack schemes reported in the analysis published by Trend Micro used fake Internet Police apps to victimize South Korean mobile banking customers. Potential victims received SMS phishing messages that scared them with supposed investigations if they did not click a given link.

“When clicked, however, the link installed a malicious app in their devices that communicated with designated C&C servers to listen for commands,” the report notes. “We first spotted these malware in September 2013 and continued to see them till April 2014, proving the steadfast nature of the threats.” is reported about the “Internet Police scary tactic.”

Mobile platforms are a privileged target for threat actors, a recent research published by Alcatel-Lucent Motive Security Labs reported that 16 million mobile devices worldwide have been infected by malware, and the data didn’t include the China and Russia that are the countries with a significant presence of mobile devices.

Trend Micro last year published a very interesting research on the Chinese underground market revealing that it is doubled between 2012 and 2013 and its offer is very attractive for criminals that could acquire anything for mobile scams, from SMS forwarding Trojans to DDoS attack services.

Pierluigi Paganini

(Security Affairs –  Yanbian Gang, mobile)