The popularity of online shopping has been growing during the past few years, a trend accelerated by the pandemic. To make this already convenient way of never having to leave the couch to buy new things even more convenient, people are increasingly using their smartphones instead of computers to shop: in Q1 2021, smartphones accounted for 69% of all retail website visits worldwide, and smartphone purchases made up 57% of online shopping orders. A noteworthy aspect of buying goods and services via a mobile device is that 53% of smartphone users do it from vendor-specific applications.

Seeking the opportunity to make a profit off this behavior, cybercriminals exploit it by tricking eager shoppers into downloading malicious applications. In an ongoing campaign targeting the customers of eight Malaysian banks, threat actors are trying to steal banking credentials by using fake websites that pose as legitimate services, sometimes outright copying the original. These websites use similar domain names to the services they are impersonating the better to attract unsuspecting victims.

Campaign overview

This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans attributed to this campaign.

On top of that, ESET researchers found four more fake websites. All seven websites impersonated services that are only available in Malaysia: six of them, Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, offer cleaning services, and the seventh is a pet store named PetsMore. The side-by-side comparison of the legitimate and copycat versions of Grabmaid and PetsMore can be seen in Figures 1 and 2, respectively.

Figure 1. Grabmaid: legitimate website on the left, copycat on the right

Figure 2. PetsMore: legitimate website on the left, copycat on the right

The copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from Google Play. However, clicking these buttons does not actually lead to the Google Play store, but to servers under the threat actors’ control. To succeed, this attack requires the intended victims to enable the non-default “Install unknown apps” option on their devices. Interestingly, five of the seven legitimate versions of these services do not even have an app available on Google Play.

To appear legitimate, the applications ask the users to sign in after starting them up; there is however no account validation on the server side – the software takes any input from the user and always declares it correct. Keeping up the appearance of an actual e-shop, the malicious applications pretend to offer goods and services for purchase while matching the interface of the original stores (see Figure 3 for a screenshot of the shopping cart in one of the malicious apps). When the time comes to pay for the order, the victims are presented with payment options – they can pay either by credit card or by transferring the required amount from their bank accounts. During our research, it was not possible to pick the credit card option.

Figure 3. The shopping cart in a malicious application

As we already mentioned, the goal of the malware operators is to obtain the banking credentials of their victims. After picking the direct transfer option, victims are presented a fake FPX payment page and asked to choose their bank out of the eight Malaysian banks provided, and then enter their credentials. The targeted banks are Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank, as seen in Figure 4.

Figure 4. Targeted banks

After unfortunate victims submit their banking credentials, they receive an error message informing them that the user ID or password they provided was invalid (Figure 5). At this point, the entered credentials have been sent to the malware operators, as Figure 6 shows.

Figure 5. Error message displayed to the victim after credentials are exfiltrated

Figure 6. Credentials being sent to the attacker’s server

To make sure the threat actors can get into their victims’ bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain Two-Factor Authentication (2FA) codes sent by the bank (see Figure 7).

Figure 7. All received SMS messages are forwarded to the attacker’s server

Malware description

The observed malware is rather minimalistic: it is designed to request only one user permission, which is to read received SMS messages. Its goal is to phish for banking credentials and forward 2FA SMS messages from the compromised device to the operators. Lacking the functionality to remove SMS messages from the device, the malware cannot hide that somebody is trying to get into the victim’s bank account.

So far, the malware has been targeting only Malaysia – both the e-shops it impersonates and the banks whose customers’ credentials it is after are Malaysian, and the prices in the applications are all displayed in the local currency, the Malaysian Ringgit.

One of the services impersonated in the campaign, MaidACall, has already warned its users of this fraudulent campaign via a Facebook post (see Figure 8). The rest have not publicly commented on the issue yet.

Figure 8. Warning post by a service that was impersonated during the campaign

We have found the same malicious code in all three analyzed applications, leading us to conclude that they can all be attributed to the same threat actor.

Takeaways

To protect yourself against this type of threat, first, try to ensure that you are using legitimate websites to shop:

  • Verify if the website is secure, i.e., its URL begins with https://. Some browsers might even refuse to open non-HTTPS websites and explicitly warn users or provide an option to enable HTTPS-only mode.
  • Be wary of clicking ads and do not follow paid search engine results: it is possible that they do not lead to the official website

Apart from looking out for fake websites, here are some other useful tips to enjoy a safer online shopping experience on your smartphone:

  • Pay attention to the source of applications you are downloading. Make sure that you are actually redirected to the Google Play store when getting an application
  • Use software or hardware 2FA instead of SMS when possible
  • Use mobile security solutions to detect harmful websites and malicious apps

Conclusion

The observed campaign is a fake e-shop scheme targeting the banking credentials of Android users in Malaysia. It exploits the popularity of using smartphones to shop online. Instead of phishing for banking credentials on websites, the threat actors have introduced Android applications into the chain of compromise, thus making sure they have access to 2FA SMS messages the victim is likely to receive. The scheme relies on using ads to lure potential victims into accessing copycat versions of legitimate websites. Once there, a fake Google Play download button directs them towards a malicious application distributed by the malware operators via a third-party site.

While the campaign targets Malaysia exclusively for now, it might expand to other countries and banks later on. At this time, the attackers are after banking credentials, but they may also enable the theft of credit card information in the future.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

Indicators of compromise (IoCs)

Samples

First seen MD5 SHA-1 SHA-256 Package name Description C&C ESET detection name
2022-01-04 CB66D916831DE128CCB2FCD458067A7D ABC7F3031BEC7CADD4384D49750665A1899FA3D4 9B4A0019E7743A46B49A4D8704FFD6E064DB2E5D8DB6DA4056F7EAE5369E16F9 com.app.great Malicious app impersonating Grabmaid service. muapks[.]online Android/Spy.SmsSpy.UZ
2022-02-23 8183862465529F6A46AED60E1B2EAE52 BEDDFE5A26811DCCCA7938D00686F8F745424F57 E949BAC52D39B6E207A7943EC778D96D8811FB63D4A037F70E5B6E6706A12986 com.app.great Malicious app impersonated Maria’s Cleaning service. m4apks[.]online Android/Spy.SmsSpy.UZ
2022‑02‑08 B6845141EC0F4665A90FB16598F56FAC 1C984FB282253A64F11EE4576355C1D5EFBEE772 D1017952D1EF0CEEC6C2C766D2C794E8CC4FB61B2FFA10ED6B6228E8CADF0B39 com.app.great Malicious app impersonating Maid4u service. maid4uapks90[.]online Android/Spy.SmsSpy.UZ
2022-01-03 43727320E8BF756FE18DB37483DAD0A0 E39C485F24D239867287DCD468FC813FDB5B7DB6 5F8A54D54E25400F52CE317BFDBBC866E11EA784AB2D5E3BD0A082A53C6B2D7B com.app.services Malicious app impersonating MaidACall service. grabsapks[.]online Android/Spy.SmsSpy.UZ
2022‑02‑09 C51BC547A40034F4828C72F37F2F1F39 1D33F53E2E9268874944C2F52E31CCAF2BF46A93 D8BE8F7B8B224FCA2BB3E7632F6B97B67A74202DC4456F8A79A8856B478C0C6E com.app.great Malicious app impersonating MaidACall service. grabmyapks90[.]online Android/Spy.SmsSpy.UZ
2022-01-08 4BEC6A07E881DB1A950367BEB1702ADA 9A5A57BF49DBBEF2E66FEE98E5C97B0276D03D28 A5C7373BE95571418C41AF0DE6A03CE78E82BC1F432E662C0DC42B988640E678 com.pets.lover Malicious app impersonating PetsMore service. m4apks[.]online Android/Spy.SmsSpy.UZ
2022-01-17 4FD6255562B2A29C974235FD21B8D110 BA78B1177C3E2A569A665611E7684BCEEAF2168F DFF93FD8F3BC26944962A56CB6B31246D2121AE703298A86F20EA9E8967F6510 com.app.great Malicious app impersonating PetsMore service. m4apks[.]online Android/Spy.SmsSpy.UZ
2022-01-30 C7DCBD2B7F147A6450C62A8D67207465 0E910AD1C33BEF86C9FDBBE4654421398E694329 A091B15F008B117167A17A8DB4C19E60BD9C99F1047BC82D60E3FD42157333AE com.app.great Malicious app impersonating YourMaid service. grabmaidsapks80[.]online Android/Spy.SmsSpy.UZ
2021-10-09 71341FC2958E65D208F2770185C61D7A 5237D3FAE84BB5D611C80338CF02EB3793C30F02 4904C26E90DC4D18AD6A2D291AF2CD61390661B628F202ABFEDDF8056502F64A com.company.gamename Malicious app impersonating Maid4u service. 124.217.246[.]203:8099 Android/Spy.SmsSpy.UJ
2021-12-13 CF3B20173330FEA53E911A229A38A4BC B42CD5EC736FCC0D51A1D05652631BE50C9456A0 6DB2D526C3310FAD6C857AA1310F74DC0A5FE21402E408937330827ACA2879B7 com.great.blue Malicious app impersonating Maideasy service. meapks[.]xyz Android/Spy.SmsSpy.UZ

Network

IP Provider First seen Details
185.244.150[.]159 Dynadot 2022-01-20 19:36:29 token2[.]club
Distribution website
194.195.211[.]26 Hostinger 2022-01-08 14:33:32 grabamaid-my[.]online
Distribution website
172.67.177[.]79 Hostinger 2022-01-03 08:20:50 maidacalls[.]online
Distribution website
172.67.205[.]26 Hostinger 2022-01-03 13:40:24 petsmore[.]online
Distribution website
172.67.174[.]195 Hostinger 2022-02-23 00:45:06 cleangmy[.]site
Distribution website
N/A Hostinger 2022-01-24 17:40:14 my-maid4us[.]site
Distribution website
N/A Hostinger 2022-01-27 14:22:10 yourmaid[.]online
Distribution website
194.195.211[.]26 Hostinger 2021-11-19 05:35:01 muapks[.]online
C&C server
194.195.211[.]26 Hostinger 2021-11-19 05:23:22 grabsapks[.]online
C&C server
104.21.19[.]184 Hostinger 2022-01-20 03:47:48 grabmyapks90[.]online
C&C server
104.21.29[.]168 Hostinger 2021-12-22 12:35:42 m4apks[.]online
C&C server
172.67.208[.]54 Hostinger 2022-01-17 09:22:02 maid4uapks90[.]online
C&C server
172.67.161[.]142 Hostinger 2022-01-22 06:42:37 grabmaidsapks80[.]online
C&C server
2.57.90[.]16 Hostinger 2022-01-10 23:51:29 puapks[.]online
C&C server
124.217.246[.]203 Hostinger 2021-09-15 03:50:28 124.217.246[.]203:8099
C&C server
172.67.166[.]180> Hostinger 2021-12-24 15:54:34 meapks[.]xyz
C&C server

MITRE ATT&CK techniques

This table was built using version 10 of the ATT&CK framework.

Tactic ID Name Description
Initial Access T1444 Masquerade as Legitimate Application Fake websites provide links to download malicious Android apps.
T1476 Deliver Malicious App via Other Means Malicious apps are delivered via direct download links behind fake Google Play buttons.
Credential Access T1411 Input Prompt Malware displays fake bank log in screens to harvest credentials.
T1412 Capture SMS Messages Malware captures received SMS messages so it has 2FA codes for bank logins.
Collection T1412 Capture SMS Messages Malware captures received SMS messages that might contain other interesting data besides 2FA codes for bank logins.
Exfiltration T1437 Standard Application Layer Protocol Malicious code exfiltrates credentials and SMS messages over standard HTTPS protocol.