This post was authored by Fareed.
This blog post is intended to give a better overall picture of a malicious Android app campaign attack that believes to be targeted at Malaysians. The threat actor set up several modus operandi from Maid clean services application, toward island travel based app, and now they're using Petronas as their new theme.
This blog post might useful for security engineers, Android researchers, and security analysts to catch up with current cybersecurity issues specifically mobile malware threats and Malaysia cyber security news. By the end of this blog post, readers will understand the inner working of this recent Android malware attack that happened to the compromised user. Furthermore, security analysts can collect the given IOCs extracted from the malware to check whether the environment of your organization or any contact of you has been compromised or not.
Non-technical Executive Summary
For non-technical background, this is an Android malicious application analysis that was conducted and investigated by the Netbytesec team to understand the behavior of the malicious Android application in a details manner so that we can verify how the scammed victims were being compromised or we can call it "hacked" by the scammer using this Android application installed in victim's phone. The application will phish the user to enter their bank credential in the fake payment page of FPX and credit card and also steal all victims’ SMS content. The impact of this application can expose the information of victims’ banking information to the scammer/hacker and then, the attacker might make the illegal bank transaction by leveraging the SMS stealer as an OTP number is needed to make the bank transaction.
The Netbytesec (NBS) team has conducted an Android malware analysis on a lure Android Package Kit (APK) sample associated with Petronas as contained in the application's name and theme. The malicious Android application can be downloaded from a landing page set up by the threat actor on the internet while the campaign is going on. While using the eCommerce-based application, the victims need to make the payment of their shopping cart using a fake FPX page and fake Credit Card payment page in the application like the common banking credential stealer application targeting Malaysian banks. On top of that, after the malicious APK is installed on the victim’s Android phone, the malicious APK will steal all incoming SMS from the victim. The impact of such phishing methods and SMS stealers of this Android application can lead to the scammer could use the information to perform illegal bank transactions as they have got all important information to retrieve their goals including online banking credentials, bank card information, and SMS records for stealing the OTP code. NBS threat analysts also suspect that the actor behind this MyPetronas application is the same as malicious Cleaning Services Malaysia, Maid4u, KleanHouz, Ikea and Travel scam applications as we found the same pattern of decompiled code of the APK, webview and API server URLs path of the scammer.
|Figure 1: MyPetronas malicious APK|
Graph flow of the malicious Android Application
|Figure 2: Graph flow of the malware|
APK Metadata information
Application name: MyPetronas
Package Name: com.app.homecleaning
MD5 hash: f7d4a2b5fdb45c258fccd3059d12fee9
Dangerous permission: android.permission.READ_SMS
|Figure 3: Metadata of the application|
From the package name, we can get the clue that the threat actor of this malicious bank stealer application is the same as the other home cleaning application we've heard in the news that also targets Malaysian. The threat actor might use the same template of the Android source code and forgot to change the package name.
Landing page overview
The application's APK file is available to be downloaded at the landing page that has been set up by the threat actor at pt-gift.store. Based on the landing page UI, the scammer uses the Petronas theme to lure customers to download and install the malicious application if the customer wanted to book the package of Car Service package.
|Figure 4: Landing page pt-gift.store.|
Application behavior and interface
Upon opening the application for the first time, the application will ask the user to set the malicious MyPetronas application as the default SMS app in order for the application to silently gets access to the SMS content.
|Figure 5: Set the application as default Message app|
The behavior of this can be seen in the java decompile code of the APK in the MainActivity class at method OnCreate.
|Figure 6: Code to set the application as default SMS app|
If user don't set the application as the default SMS app, the application will not proceed to open the main interface and exit the application right away.
Upon entering the main interface of the application, the application will show the list of the products of Petronas engine oil with a price tag which can be seen in the menu "Shop". The user needs to choose their interested Petronas engine oil in order to book the car service package.
|Figure 7: Shop menu contains list of products|
Upon clicking on one of the items, the application will be brought to the description page, and then proceed to book the service by clicking the "BOOK NOW" button.
|Figure 8: Product description|
In the booking chart, the user will then go to the checkout page to confirm the booking by filling in the personal information such as Name, IC, phone number, address, and booking date. It also appeared that users have two options for payment methods which are FPX payment and Credit card. Once victims fill out the form and choose the payment method, the victims will be served with the fake FPX page or fake iPay88 credit card page.
|Figure 9: User form and online payment option to confirm booking|
Confirming the booking will make all the information will be POST to the attacker API web server served at hxxps://lapks[.]online/skyblue_888a/api/api.php?post_order.
The figure below shows the filled data in the user form sent to the API server using the POST method.
|Figure 10: Intercept POST request of the data|
After the data successfully send to the API server, the application will redirect the user to the payment options page, which is either the FPX page or the iPay88 credit card payment page.
Fake payment gateway
Once the user filled the form and submits the data, the application will load an HTML file located in the malicious application asset files. In the figure below, the application load a local HTML file into the webview instead of using a remote web page served on the internet.
|Figure 11: Load FPX.html in webview|
The HTML code web page of the FPX payment is embedded in the resources file under the assets folder bundled in the application. The figure below shows the FPX.html in the assets folder which is being used for the fake FPX page. Each of the targeted banks has its own assets file such as "AFFIN_files" containing images, CSS files, or HTML files that are needed for the page to mimic a legit the Affin bank's login page.
|Figure 12: FPX.html code|
Here in the figure below, is how the FPX payment gateway page looks like. Victims will be phished by this look-legit webpage and proceed to choose their bank to make the payment.
|Figure 13: Fake FPX webpage|
The figure below is an example of the fake Maybank2u login page used to lure victims specifically to scam and steal online banking credentials.
|Figure 14: Fake Maybank2u webpage|
On the next page for the password insertion, a user should aware that the page does not have the security image like the original of Maybank2u. The fake FPX page shows the entered username instead of the security image.
|Figure 15: User password form|
|Figure 16: JS file used for post data of online bank credential|
In the figure below shows the request of the network activity happened when the button login is clicked using a dummy credential.
|Figure 17: Intercepted request|
This is a critical part of the communication toward the API server (apart from the SMS stealer which will be mention in the next section) where the scammer retrieves and steals the credential of Malaysian's online banking accounts.
The list of bank include:
- Affin Bank
- Public Bank
- Bank Islam
- Hong Leong Bank
- Bank Muamalat
While for the credit card payment, figure below shows the interface of the fake ipay88 credit card form.
|Figure 18: Credit card form interface|
|Figure 19: JS file to post Credit Card data to API server|
After the data is sent to the attacker's API server, the application will redirect the victim to a page with a popup box saying "Connection timeout. Please try again." just to lure the trust of users.
|Figure 20: Redirect page after submit data|
For SMS stealer behavior, the malicious application statically declares a broadcast receiver of BROADCAST_SMS in AndroidManifest file. The APK uses the broadcast receiver to listen for any incoming message and send the incoming SMS data to the attacker API server. Intently to get TAC code of the banking transaction for the illegal transaction.
|Figure 21: SMS receiver|
In the class MyReciever, the method onReceive will be triggered when an SMS is coming in and the application will send the SMS data to the URL hxxps://sgbx.online?pass=app168&cmd=sms&sid=%1$s&sms=%2$s where the sid and SMS parameter are filled per the incoming message data.
|Figure 22: SMS broadcast receiver to send the SMS to API server|
From this point, the attacker will receive the SMS data sent by the application as well as the banking information credential.
Our malware researchers observe that this malicious Android uses an Android source code template from Solodroid
by Indonesian developer. Based on the information of the template, this application should have an admin dashboard to control the application products.
|Figure 23: https://codecanyon.net/item/ecommerce-online-shop-app/10442576?s_rank=19|
Differentiating the code of the demo application of the Solodroid eCommerce Android App shows the exact same as the decompiled code. The only different is the permission, custom page and few of malicious broadcast receiver.
|Figure 24: Different decompiled code of original Solodroid application and MyPetronas|
If we look at the right side of the figure, the malicious application alters the MainActivity file to adjust the application to request permission for the default SMS application.
NBS malware researchers also observed that this MyPetronas malicious application was likely being developed by the same actor of the CleaningServiceMalaysia, KleanHouz, Maid4u, and Travel app samples where all of these samples shared the same pattern of modus operand, C2 URL path (but different domain name), and also malicious code.
The below figures show the MainActivity of islandtravel.apk, KleanHouz.apk, and MyPetronas.apk shared the same code which gave us the clue that the threat actor might be the same player and malware author.
|Figure 25: islandtravel.apk|
|Figure 26: kleanhouz.apk|
|Figure 27: MyPetronas.apk|
From Netbytesec's point of view, this threat actor is not the same as the Bank Negara Malaysia scam application and a few other scamming applications like EGrocer or ChickFood where Netbytesec threat analysts observe the C2 infrastructure and malicious code are quite different.
The Petronas fake application is used by the scammer as a decoy to phish users' online banking credentials and credit card information. The APK also has capabilities such as stealing users' SMS data. All the retrieved and stolen data is submitted to the C2 server of the attacker using the API of the C2 server. The attacker uses information such as banking credentials, credit card information, and SMS content to get the OTP of the transaction to perform the illegal transaction. The APK has the same pattern of code and URL path of collected domains which might support our assumption that the threat actor of the previous Maid Cleaning service app is the same as this one.
All banking and Android users must aware of this type of scamming activity to avoid being one of the victims. If you are one of the victims and already installed the malicious application, please uninstall the application and report it to your bank for further action. All the associated Banks parties must also notify users and make awareness about this scam modus operandi as it would affect the brand name of the bank where most of the victims will instead accuse the bank organization if the money in their bank account got stolen and gone as this threat actor will never stop doing these illegal activities and keep evolving from time to time upgrading their techniques, tactics, and procedure to steal money from victims.
- Download and install application only from official Google Play Store.
- Be very careful enabling any dangerous permissions while using the application.
Indicator of Compromises
- pt-gift.store – Landing page
- gpost996.online – retrieve banking information
- lapks.online – retrieve user information
- sgbx.online – retrieve SMS
- hxxps://lapks.online/skyblue_888a/api/api.php?post_order – Post user information to C&C server
- hxxps://gpost996.online/post.php – Post online banking credential to C&C server
- hxxps://sgbx.online?pass=app168&cmd=sms&sid=%1$s&sms=%2$s – Post SMS data to C&C server
Netbytesec credit to Jacob Soo
for sharing and giving insight about the sample on Twitter.
Post a Comment