Spoofed Asian Bank App Tricks People to “Invest” Thousands

Written by Bill Toulas
Last updated September 25, 2021

There’s a new scamming campaign unfolding in Asian countries, using a cloned app that spoofs the portal of a well-known bank in the region. The real bank worked closely with Zimperium to uncover this campaign while it is still at an early stage, so this publication is to raise awareness and close the income tap for the actors.

The crooks have exploited a recent announcement from the actual financial organization about developing a digital exchange that calls people to invest and trade using the new token. Dozens have downloaded the spoofed app, losing an average of $1,500 in fake investments.

The app isn’t available on the Google Play Store, but victims are led to its distribution portals through phishing links, third-party sites, forum posts, social media messages, etc. So far, no mobile AV solutions detect the app as malicious because it doesn’t feature anything suspicious on its code.

The cloned app relies on social engineering and straight-out trickery on the human level, even featuring active customer support to ensure that the “complete package” is presented to the victims.

Source: Zimperium

Upon registration, victims give away their email address, account number, organization code (typo here), and a password that could be used in future stuffing attacks. To add legitimacy to this step as well, the app generates a verification email, which is sent to the user via email address.

Source: Zimperium

Once this step is over, the victim accesses the crypto trade app, which looks pretty legit too. The app fetches price changes from the market, so the token value and the exchange rates are dynamically updated on the app, giving an overly convincing image to the user.

Source: Zimperium

The victim is tricked into adding funds on the app to invest in the token, or BTC, or even ETH. This money shows up on the app’s wallet management page, so the user is getting a sense of control and believes he is the holder, but the real amounts have already been directed straight to actor-controlled wallets.

Source: Zimperium

As Zimperium warns, this campaign is really just the beginning for these actors, as they have noticed them targeting a second bank already. Having the themes and the code and the customer support lines up, nothing is stopping the actors from updating their themes and trying again.

That said, do not trust any apps sourced from outside the Google Play Store. A bank app should always be present on the official Android store. Otherwise, it’s not safe to use, even if it’s the real one.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: