A mammoth campaign targeting Iran’s banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets.
Four months ago, researchers from Sophos detailed a lengthy campaign involving 40 malicious banking apps designed to harvest credentials belonging to unwitting customers. By imitating four of the Islamic Republic’s most significant financial institutions — Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran — hackers were able to install and hide their copycat apps on victims’ phones, harvesting logins, intercepting SMS messages with one-time passcodes, and stealing sensitive financial information, including credit cards.
Apparently, that was just the opening salvo. A new blog post from Zimperium has revealed 245 more apps associated with the same, clearly ongoing campaign, 28 of which had not previously been recorded on VirusTotal.
And this new trove isn’t just bigger — it’s more diverse, and more sophisticated than the first 40 were, featuring new kinds of targets, and tactics for stealth and persistence.
285 Fake Banking Apps
The 245 new apps discovered since the summer extend beyond the bounds of the original 40 by actively targeting four new Iranian banks, with some evidence that they have another four more in their sights.
Besides banks, the attackers have also started probing for data relating to sixteen cryptocurrency platforms, including such popular ones as Metamask, KuCoin, and Coinbase.
To facilitate the targeting of a dozen banks and 16 crypto hubs, the attackers have also added some new tools to their arsenal. For example, one little trick they use to avoid infrastructure takedowns involves a command-and-control server with the lone purpose of distributing phishing links. As the researchers explained, this “allows for the server URL to be hardcoded on the application without the risk of being taken down.”
The group’s most notable new tactic, however, is how its apps abuse accessibility services.
“While using the accessibility API, they get a way to programmatically access the UI’s elements,” explains Nico Chiaraviglio, chief scientist of Zimperium. He explains that attackers can invisibly interact with the device in some of the same ways a user can, to malicious effect. For example, “they can request for dangerous permissions (such as reading SMS) and when the user is prompted to accept the permission, they click on ‘Accept’ before the user even sees the notification. Or they prevent uninstallation by clicking on ‘Cancel’ when the user tries to uninstall the app.”
Thus far the fake apps have been limited to Android devices. But among the attackers’ belongings, the researchers did uncover phishing websites mimicking banking apps’ Apple App Store pages, indicating that the campaign may expand to iPhones in the near future.
Long before that happens, the campaign will have touched thousands. “Based on the information obtained from one of their Telegram channels, we know that there are thousands of victims. But we could only access one of the channels used (since one of them is private) and there is no guarantee that they didn’t use other channels in the past.”