Spoofed Asian Bank App Tricks People to “Invest” Thousands

  • A new tricky campaign is using well-crafted bank spoofing apps to convince users to “invest” in crypto.
  • The victims source the app from outside the store and then share sensitive information with the actors.
  • The investments go straight into the actors’ wallets, while victims are made to believe they’re holding the tokens.

There’s a new scamming campaign unfolding in Asian countries, using a cloned app that spoofs the portal of a well-known bank in the region. The real bank worked closely with Zimperium to uncover this campaign while it is still at an early stage, so this publication is to raise awareness and close the income tap for the actors.

The crooks have exploited a recent announcement from the actual financial organization about developing a digital exchange that calls people to invest and trade using the new token. Dozens have downloaded the spoofed app, losing an average of $1,500 in fake investments.

The app isn’t available on the Google Play Store, but victims are led to its distribution portals through phishing links, third-party sites, forum posts, social media messages, etc. So far, no mobile AV solutions detect the app as malicious because it doesn’t feature anything suspicious on its code.

The cloned app relies on social engineering and straight-out trickery on the human level, even featuring active customer support to ensure that the “complete package” is presented to the victims.

Source: Zimperium

Upon registration, victims give away their email address, account number, organization code (typo here), and a password that could be used in future stuffing attacks. To add legitimacy to this step as well, the app generates a verification email, which is sent to the user via email address.

Source: Zimperium

Once this step is over, the victim accesses the crypto trade app, which looks pretty legit too. The app fetches price changes from the market, so the token value and the exchange rates are dynamically updated on the app, giving an overly convincing image to the user.

Source: Zimperium

The victim is tricked into adding funds on the app to invest in the token, or BTC, or even ETH. This money shows up on the app’s wallet management page, so the user is getting a sense of control and believes he is the holder, but the real amounts have already been directed straight to actor-controlled wallets.

Source: Zimperium

As Zimperium warns, this campaign is really just the beginning for these actors, as they have noticed them targeting a second bank already. Having the themes and the code and the customer support lines up, nothing is stopping the actors from updating their themes and trying again.

That said, do not trust any apps sourced from outside the Google Play Store. A bank app should always be present on the official Android store. Otherwise, it’s not safe to use, even if it’s the real one.

REVIEW OVERVIEW

Latest

‘RuTracker’ Crowdfunds the Seeding of Old and Rare Torrents

Torrent tracking platform ‘RuTracker’ is crowdfunding the expansion of its seeding storage.The site wants to support older, rare, and generally hard-to-find torrents...

“ZEE5” Has Leaked the Data of Nine Million Users but Didn’t Disclose It

ZEE5 has just had its third large data breach in just nine months, and typical for them, they didn’t notify users.The discovery...

Report Sheds Light on Where Exactly Google Failed on Stadia

Google has gone through a series of bad choices and decisions in relation to Stadia, undermining its potential for success.Reportedly, the tech...