Android Malware Poses as Government App to Phish Sensitive Details in Bahrain

By Lore Apostol / June 3, 2024

The McAfee Mobile Research Team has uncovered InfoStealer Android malware masquerading as a Bahrain official app under The Labour Market Regulatory Authority (LMRA). The malware entices users with the promise of mobile access to services such as renewing and applying for driver’s licenses, visa applications, and ID cards. Lured by the convenience of these mobile services, unwitting users provide their personal information, and 62 users have already used this app in Bahrain.

The Minister of Labor chairs a board of directors that guides LMRA, which has financial and administrative independence. The agency provides several mobile services, mostly via dedicated apps for each service, while the malware app promotes offering several.

Various fake apps were also found that use the same techniques as the LMRA fake apps to steal personal information, trying to impersonate Bitcoin, loans, and fintech companies in Bahrain, the Bank of Bahrain and Kuwait (BBK), and BenefitPay, for instance.

Fake Android Malware Apps Targeting Bahrain
Image Credits: McAfee

These malicious apps are distributed through Facebook pages and SMS messages. The malware author constantly creates new Facebook pages that direct users to phishing sites, either WordPress blogs or custom sites, where they are prompted to download the apps.

When the user launches the app, it shows a large legitimate icon and various menus linked to the same URL. It asks for the CPR (a local exclusive 9-digit identifier) and phone number, and a “Verify” button sends information to the C2 server, storing the data for the next step.

McAfee Caught Malware Bahrain Android App
Image Credits: McAfee

The last page asks for the user’s full name, email, and date of birth. The completion page says the tricked user will receive an email within 24 hours, which never happens. Cybercriminals exploit the stolen information to steal victims’ financial assets. Similarly, social engineering SMS messages urge the receiver to confirm something by clicking a link.

As confirmed by the McAfee Mobile Research Team, there are two types of these apps: one that implements a custom C2 server and receives data directly through web API and another that uses Firebase, a legitimate backend service platform provided by Google that can store data as a database. The Firebase URLs related to this threat were reported to Google and are no longer available.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: