Authored by Dexter Shin
Many authorities companies present their companies on-line for the comfort of their residents. Additionally, if this service may very well be supplied by means of a cell app, it might be very handy and accessible. However what occurs when malware pretends to be these companies?
McAfee Cellular Analysis Crew discovered an InfoStealer Android malware pretending to be a authorities company service in Bahrain. This malware pretends to be the official app of Bahrain and advertises that customers can renew or apply for driver’s licenses, visas, and ID playing cards on cell. Customers who’re deceived by ads that they’re obtainable on cell will likely be supplied with the required private data for these companies undoubtedly. They attain customers in varied methods, together with Fb and SMS messages. Customers who aren’t acquainted with these assaults simply make the error of sending private data.
Detailed pretended app
In Bahrain, there’s a authorities company referred to as the Labour Market Regulatory Authority (LMRA). This company operates with full monetary and administrative independence underneath the steerage of a board of administrators chaired by the Minister of Labour. They supply a wide range of cell companies, and most apps present just one service per app. Nonetheless, this faux app promotes offering multiple service.
Determine 1. Authentic official LMRA web site
Determine 2. Pretend app named LMRA
Excluding essentially the most steadily discovered faux apps pretending LMRA, there are numerous faux apps included Financial institution of Bahrain and Kuwait (BBK), BenefitPay, a fintech firm in Bahrain, and even apps pretending to be associated to Bitcoin or loans. These apps use the identical strategies because the LMRA faux apps to steal private data.
Determine 3. Numerous faux apps utilizing the identical strategies
From the kind of app that this malware pretends, we are able to guess that the aim is monetary fraud to make use of the non-public data it has stolen. Furthermore, somebody has been affected by this marketing campaign as proven within the image under.
Determine 4. Victims of monetary fraud (Supply: Reddit)
Distribution technique
They distribute these apps utilizing Fb pages and SMS messages. Fb pages are faux and malware creator is consistently creating new pages. These pages direct customers to phishing websites, both WordPress weblog websites or customized websites designed to obtain apps.
Determine 5. Fb profile and web page with a hyperlink to the phishing website
Determine 6. One of many phishing websites designed to obtain app
Within the case of SMS, social engineering messages are despatched to trick customers into clicking a hyperlink in order that they really feel the necessity to urgently verify.
Determine 7. Phishing message utilizing SMS (Supply: Reddit)
What they need
When the person launches the app, the app reveals a big official icon for customers to be mistaken. And it asks for the CPR and telephone quantity. The CPR quantity is an unique 9-digit identifier given to every resident in Bahrain. There’s a “Confirm” button, however it’s merely a button to ship data to the C2 server. If customers enter their data, it goes on to the following display screen with out verification. This step simply shops the knowledge for the following step.
Determine 8. The primary display screen (left) and subsequent display screen of a faux app (proper)
There are numerous menus, however they’re all linked to the identical URL. The parameter worth is the CPR and telephone numbers enter by the person on the primary display screen.
Determine 9. All menus are linked to the identical URL
The final web page asks for the person’s full title, e mail, and date of delivery. After inputting all the things and clicking the “Ship” button, all data inputted to this point will likely be despatched to the malware creator’s c2 server.
Determine 10. All information despatched to C2 server
After sending, it reveals a completion web page to trick the person. It reveals a message saying you’ll obtain an e mail inside 24 hours. However it’s only a counter that decreases mechanically. So, it does nothing after 24 hours. In different phrases, whereas customers are ready for the affirmation e mail for twenty-four hours, cybercriminals will exploit the stolen data to steal victims’ monetary property.
Determine 11. Completion web page to trick customers
As well as, they’ve a payload for stealing SMS. This app has a receiver that works when SMS is acquired. In order quickly as SMS comes, it sends an SMS message to the C2 server with out notifying the person.
Determine 12. Payload for stealing SMS
Dynamic loading of phishing websites through Firebase
We confirmed that there are two kinds of these apps. There’s a kind that implements a customized C2 server and receives information straight by means of internet API, and one other kind is an app that makes use of Firebase. Firebase is a backend service platform supplied by Google. Amongst many companies, Firestore can retailer information as a database. This malware makes use of Firestore. As a result of it’s a official service supplied by Google, it’s tough to detect as a malicious URL.
For apps that use Firebase, dynamically load phishing URLs saved in Firestore. Subsequently, even when a phishing website is blocked, it’s doable to reply shortly to keep up already put in victims by altering the URL saved in Firestore.
Determine 13. Dynamically loading phishing website loaded in webview
We reported the Firebase URLs associated to this risk to Google and so they took immediate enforcement motion on them so they don’t seem to be obtainable anymore.
Conclusion
In accordance with our detection telemetry information, there are 62 customers have already used this app in Bahrain. Nonetheless, since this information is a quantity on the time of writing, this quantity is predicted to proceed to extend, contemplating that new Fb pages are nonetheless being actively created.
Current malware tends to focus on particular international locations or customers relatively than widespread assaults. These assaults could also be tough for basic customers to tell apart as a result of malware precisely makes use of the components wanted by customers dwelling in a selected nation. So we advocate customers set up safe software program to guard their gadgets. Additionally, customers are inspired to obtain and use apps from official app shops like Google Play Retailer or Apple AppStore. For those who can’t discover an app in these shops, you need to obtain the app supplied on the official web site.
McAfee Cellular Safety already detects this risk as Android/InfoStealer. For extra data, go to McAfee Cellular Safety.
Indicators of Compromise (IOCs)
Samples:
| SHA256 | Bundle Title | App Title |
| 6f6d86e60814ad7c86949b7b5c212b83ab0c4da65f0a105693c48d9b5798136c | com.ariashirazi.instabrowser | LMRA |
| 5574c98c9df202ec7799c3feb87c374310fa49a99838e68eb43f5c08ca08392d | com.npra.bahrain.5 | LMRA Bahrain |
| b7424354c356561811e6af9d8f4f4e5b0bf6dfe8ad9d57f4c4e13b6c4eaccafb | com.npra.bahrain.5 | LMRA Bahrain |
| f9bdeca0e2057b0e334c849ff918bdbe49abd1056a285fed1239c9948040496a | com.lmra.9.lmranine | LMRA |
| bf22b5dfc369758b655dda8ae5d642c205bb192bbcc3a03ce654e6977e6df730 | com.stich.inches | Visa Replace |
| 8c8ffc01e6466a3e02a4842053aa872119adf8d48fd9acd686213e158a8377ba | com.ariashirazi.instabrowser | EasyLoan |
| 164fafa8a48575973eee3a33ee9434ea07bd48e18aa360a979cc7fb16a0da819 | com.ariashirazi.instabrowser | BTC Flasher |
| 94959b8c811fdcfae7c40778811a2fcc4c84fbdb8cde483abd1af9431fc84b44 | com.ariashirazi.instabrowser | BenefitPay |
| d4d0b7660e90be081979bfbc27bbf70d182ff1accd829300255cae0cb10fe546 | com.lymors.lulumoney | BBK Mortgage App |
Domains:
- https[://]lmraa.com
- https[://]lmjbfv.website
- https[://]dbjiud.website
- https[://]a.jobshuntt.com
- https[://]store.wecarerelief.ca
Firebase (for C2):
- https[://]npra-5.firebaseio.com
- https[://]lmra9-38b17.firebaseio.com
- https[://]practice-8e048.firebaseio.com
