Customers of eight Malaysian banks have had their online banking credentials stolen via a bogus Android app posing as a housekeeping service.
Initially noticed by MalwareHunterTeam last week and later analyzed by security experts at Cyblis, this application is promoted via numerous bogus or copied websites and social media accounts in order to advertise the malicious APK ‘Cleaning Service Malaysia.’
“cleaningservicemalaysia.apk”: 7845bb247dbfad94018047afbb2f5e1d9e54752b620d995033c695d9a2d104a0 pic.twitter.com/wx6nM2GFdX
— MalwareHunterTeam (@malwrhunterteam) November 25, 2021
How Does It Work?
As explained by BleepingComputer, when users install the application, they are asked to approve at least 24 permissions, including ‘RECEIVE SMS,’ which is unsafe because it allows the app to keep track and see all SMS texts received on the mobile.
This permission is being exploited to read SMS messages in order to collect one-time passwords and multi-factor authentication credentials used in e-banking applications, which are subsequently transferred to the cybercriminal’s server.
When the fake app is launched, it will prompt the user to fill out a form in order to schedule a house cleaning.
The targets are asked to select a payment method the minute they enter their cleaning service information such as names, physical addresses, phone numbers into the malicious