Minimal permissions are adequate for fraudulent Android financial applications
SonicWall Capture Labs Threat research team recently discovered a campaign requesting users to provide their card details on a fraudulent bank application under the pretense of claiming rewards points. Additionally, they persuade users to enable SMS-related permissions, the fraudulent application gains the capability to intercept and redirect One-Time Password (OTP) messages to the attackers' server, giving them unauthorized access to the user's banking credentials and potentially leading to fraudulent activities or financial loss.
The fraudulent app's icon may closely resemble the original app's icon in terms of color scheme, logo, and overall visual elements. This resemblance creates a false sense of trust and familiarity for unsuspecting users. They may not immediately recognize any visual discrepancies and may proceed with providing their card details without suspicion.
The fraudulent apps utilize two crucial permissions.
- SMS permission: to read and identify incoming messages (2 Factor authentication for the bank).
- INTERNET permission: to establish an internet connection and send the collected card and SMS details to the attacker's server.
After installation it proceeds to prompt the user to fill in their card details, enticing them with the promise of claiming rewards.
Once the user shares their card details with the fraudulent app, it immediately initiates the process of transmitting this sensitive information to the attacker's C&C server.
Storing the user and card information in a local database located within the application system folder.
Read incoming messages on a device and save them in JSON format.
It shares incoming message details with the C&C server.
The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):