The campaign
Cybersecurity researchers have discovered a new, large-scale mobile malware campaign that targets Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps to steal sensitive personal data.
The cross-platform threat has received the codename SarangTrap from Zimperium zLabs. Notably, users in South Korea appear to be the primary focus.
“This extensive campaign involved over 250 malicious Android applications and more than 80 malicious domains, all disguised as legitimate dating and social media applications,” security researcher Rajat Goyal stated.
How it works?
The bogus domains, which impersonate legitimate app store listing pages, serve as a lure to trick users into installing these apps, resulting in the exfiltration of contact lists and images while maintaining an illusion of legitimacy.
Once users install the apps, the Android applications prompt the victim to enter an invitation code, which the app then validates against a command-and-control (C2) server. After validation, the app proceeds to request sensitive permissions that allow it access to SMS messages, contact lists, and files under the pretext of offering the advertised functionality.
Coupling the activation of the malicious behavior to an invitation code is, by turns, clever and sneaky, as it allows the malware to evade dynamic analyses and antivirus scans while silently hoovering data.
The iOS version of the campaign entices users into installing a deceptive mobile configuration profile on their device. The campaign then uses this configuration to facilitate the app installation, capturing contacts, photos, and the photo library.
The campaign is said to be in active development, with new variants of the malware samples limiting themselves to collecting contacts, images, and device information to an external server. Additionally, there is evidence that the threat actors behind the activity have resorted to blackmailing victims with threats to share personal videos with family members.
“This unsettling story is not an isolated incident; it highlights the psychological manipulation and social engineering tactics that these campaigns employ to take advantage of emotional vulnerability,” Goyal explained.
“Victims are enticed into installing malware with the promise of companionship, only to discover that they are caught in a cycle of surveillance, extortion, and humiliation.”
The disclosure comes in the wake of another campaign that has set up 607 Chinese-language domains to distribute malicious application files (APKs) posing as the Telegram messaging app via a QR code embedded on the site. This campaign executes remote commands in real-time to enable data theft, surveillance, and control over the device using the MediaPlayer API.
“The APK was signed with a v1 signature scheme, making it vulnerable to the Janus vulnerability on Android 5.0 – 8.0,” BforeAI stated. “This vulnerability allows attackers to craft deceptive applications.”
“After crafting the malicious application, they then repackage it using its original v1 signature. This modification goes undetected, allowing the compromised app to install without causing suspicion. In essence, it enables attackers to make an app more dangerous, redistribute it as an APK, and trick users (especially on older devices) into installing it while completely bypassing security checks.”
Mimicking legitimate apps
Mimicking trusted and popular online platforms has proven to be a successful compromise vector, as evidenced by Android campaigns targeting Indian bank customers and Bengali-speaking users, particularly people from Bangladesh living in Saudi Arabia, Malaysia, and the United Arab Emirates. These campaigns use malicious apps posing as financial services distributed via phishing sites and Facebook pages.
The applications are designed to deceive users into entering their personal information as part of a supposed account creation process, while also capturing data provided by them in fake transaction interfaces engineered to simulate mobile money transfers, bill payments, and bank transfers. In reality, no actual transaction occurs.
“While the attack techniques are not new, the campaign’s cultural targeting and sustained activity reflect how cybercriminals continue to adapt their strategies to reach specific communities,” McAfee Labs researcher Dexter Shin noted.
The malware that impersonates Indian banking services actively leverages Firebase for command-and-control (C2) operations. Additionally, it utilizes phishing pages to mimic genuine user interfaces, allowing it to harvest a wide range of data, including debit card details and SIM information. Furthermore, it features call forwarding and remote calling functions.
RedHook in Vietnam
Another Asian country that has become a target of Android malware attacks is Vietnam. In this case, phishing sites posing as financial and government institutions propagate a new banking trojan dubbed RedHook.
“It communicates to the command-and-control (C2) server using WebSocket and supports over 30 remote commands, enabling complete control over compromised devices,” Cyble said. “Code artifacts, including Chinese-language strings, suggest development by a Chinese-speaking threat actor or group.”
A notable feature of RedHook lies in its combination of keylogging and remote access trojan (RAT) capabilities, which facilitate credential theft and financial fraud. It also abuses Android’s accessibility services to perform overlay attacks and leverages the MediaProjection API to capture screen content.
Although the campaign is new, an exposed AWS S3 bucket used by the threat actor has uncovered uploaded screenshots, fake banking templates, PDF documents, and images detailing the malware’s behavior dating back to November 27, 2024.
“The discovery of RedHook highlights the growing sophistication of Android banking trojans that combine phishing, remote access, and keylogging to carry out financial fraud,” the company added. “By leveraging legitimate Android APIs and abusing accessibility permissions, RedHook stealthily gains deep control over infected devices while remaining under the radar of many security solutions.”
Malicious Android APKs masquerading as popular brands exploit social engineering and off-market distribution channels to siphon data and hijack network traffic for monetization purposes. Often, these tactics aim to simulate user activity to inflate ad metrics or redirect users through affiliate funnels for illicit revenue generation.
In addition to incorporating checks for sandboxed and virtualized environments, the apps feature a modular design that allows them to activate advanced functionality at will.
“It leverages the open-source tool ApkSignatureKillerEx to subvert Android’s native signature verification process, allowing the injection of a secondary payload (origin.apk) into the application’s directory,” Trustwave SpiderLabs said. “This effectively reroutes execution to malicious code while preserving the app’s appearance as a legitimate, properly signed package, both to the operating system and users.”
Malware-as-a-service (MaaS)
The campaign has not been attributed to any known threat actor or group. However, the use of ad fraud tactics suggests a possible connection to Chinese-speaking criminal groups.
That’s not all. New research from iVerify reveals that setting up new Android-focused campaigns can be as easy as renting a malware-as-a-service (MaaS) kit like PhantomOS or Nebula for a monthly subscription, which further lowers the bar for cybercrime.
“Some of these kits come with features like 2FA interception, the ability to bypass antivirus software, silent app installs, GPS tracking, and even phishing overlays that are specific to a brand,” researcher Daniel Kelley said. “The platforms come with everything they need, like support through Telegram, backend infrastructure, and built-in ways to get around Google Play Protect.”
Also offered on underground forums are crypters and exploit kits that allow the malware to stay under the radar and spread infections at scale using social engineering techniques. One such tool is Android ADB Scanner, which looks for open Android Debug Bridge (ADB) ports and pushes a malicious APK file without the victim’s knowledge. The service is available for around €600-€750.
“Perhaps the most interesting development in this ecosystem is the commoditization of infected devices themselves,” Kelley noted. “So-called ‘install’ markets let cybercriminals buy access to already compromised Android devices in bulk.”
Markets such as Valhalla offer devices compromised by banking trojans like ERMAC, Hook, Hydra, and Octo in a chosen country for a fee. This approach eliminates the need for attackers to distribute malware or infect devices on their own. Instead, they can simply acquire a network of existing bots to carry out activities of their choice.
To mitigate the risks posed by such apps, it is advisable to remain cautious of apps requiring unusual permissions or invitation codes. Additionally, avoid downloading apps from untrusted sources or unofficial app stores, and periodically review device permissions and installed profiles.
Source: TheHackerNews
Read more at Impreza News
