Android Malware Poses as Government App to Phish Sensitive Details in Bahrain

• A fake Android app poses as an official government agency service in Bahrain to gain access to sensitive user data.
• The malware promises people they can renew or apply for things such as driver’s licenses via mobile.
• The data is stolen when individuals enter their private information on phishing landing pages cleverly designed to deceive users. 

The McAfee Mobile Research Team has uncovered InfoStealer Android malware masquerading as a Bahrain official app under The Labour Market Regulatory Authority (LMRA). The malware entices users with the promise of mobile access to services such as renewing and applying for driver’s licenses, visa applications, and ID cards. Lured by the convenience of these mobile services, unwitting users provide their personal information, and 62 users have already used this app in Bahrain.

The Minister of Labor chairs a board of directors that guides LMRA, which has financial and administrative independence. The agency provides several mobile services, mostly via dedicated apps for each service, while the malware app promotes offering several.

Various fake apps were also found that use the same techniques as the LMRA fake apps to steal personal information, trying to impersonate Bitcoin, loans, and fintech companies in Bahrain, the Bank of Bahrain and Kuwait (BBK), and BenefitPay, for instance.

These malicious apps are distributed through Facebook pages and SMS messages. The malware author constantly creates new Facebook pages that direct users to phishing sites, either WordPress blogs or custom sites, where they are prompted to download the apps.

When the user launches the app, it shows a large legitimate icon and various menus linked to the same URL. It asks for the CPR (a local exclusive 9-digit identifier) and phone number, and a “Verify” button sends information to the C2 server, storing the data for the next step.

The last page asks for the user’s full name, email, and date of birth. The completion page says the tricked user will receive an email within 24 hours, which never happens. Cybercriminals exploit the stolen information to steal victims’ financial assets. Similarly, social engineering SMS messages urge the receiver to confirm something by clicking a link.

As confirmed by the McAfee Mobile Research Team, there are two types of these apps: one that implements a custom C2 server and receives data directly through web API and another that uses Firebase, a legitimate backend service platform provided by Google that can store data as a database. The Firebase URLs related to this threat were reported to Google and are no longer available.