A second chapter of a malware campaign attacking Iranian banks was revealed when a report published by Zimperium found that after an attack that began in July 2023, where there were around 40 infected apps, there are now more than 200 malicious apps linked to malicious activity, all attacking Iranian banks and banking apps. The Iranian banks affected were Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran.
The attacks aimed to obtain broad privileges, bank login details and credit card details from customers using fake apps. Zimperium’s research has shown that the attacks have evolved over time to not only attack a broader range of targets (e.g. cryptocurrency wallet apps), but also to use previously undocumented methods.
This includes the use of an access service to give it additional permissions to intercept SMS messages, prevent removal and click on user interface elements.
1. Figure List of malicious apps (source: zimperium.com)
In 1. Figure we can see a small part of the malicious apps, including several cryptocurrency wallets and banking apps.
Despite the fact that the attack campaign is mainly carried out through Android apps, users of Apple’s iOS system are also at risk and phishing sites check if the page is opened on an iOS device and if so, they redirect the victim to a website that mimics the iOS version of the Bank Saderat Iran app. The Android attacks in the campaign mainly targeted Samsung and Xiaomi devices.
Attackers have set up Telegram channels to leak data, as well as GitHub storages to store a list of command and control (C&C) server URLs and phishing links, allowing them to respond quickly to disruptions.
According to sources thousands of victims were involved in attacks, about the size of the damages caused by the attacks we do not have relevant information.
Sources:
https://thehackernews.com/2023/11/200-malicious-apps-on-iranian-android.html
https://www.securityweek.com/hundreds-of-malicious-android-apps-target-iranian-mobile-banking-users/