Scam Android app steals Bank Credentials and SMS: MyPetronas APK
This post was authored by Fareed
This blog post is intended to give a better overall picture of a malicious Android app campaign attack that believes to be targeted at Malaysians. The threat actor set up several modus operandi from Maid clean services application, toward island travel based app, and now they're using Petronas as their new theme.
This blog post might useful for security engineers, Android researchers, and security analysts to catch up with current cybersecurity issues specifically mobile malware threats and Malaysia cyber security news. By the end of this blog post, readers will understand the inner working of this recent Android malware attack that happened to the compromised user. Furthermore, security analysts can collect the given IOCs extracted from the malware to check whether the environment of your organization or any contact of you has been compromised or not.
Non-technical Executive Summary
For non-technical background, this is an Android malicious application analysis that was conducted and investigated by the Netbytesec team to understand the behavior of the malicious Android application in a details manner so that we can verify how the scammed victims were being compromised or we can call it "hacked" by the scammer using this Android application installed in victim's phone. The application will phish the user to enter their bank credential in the fake payment page of FPX and credit card and also steal all victims’ SMS content. The impact of this application can expose the information of victims’ banking information to the scammer/hacker and then, the attacker might make the illegal bank transaction by leveraging the SMS stealer as an OTP number is needed to make the bank transaction.
|Figure 1: MyPetronas malicious APK|
Graph flow of the malicious Android Application
|Figure 2: Graph flow of the malware|
APK Metadata information
Landing page overview
Application behavior and interface
|Figure 6: Code to set the application as default SMS app|
|Figure 7: Shop menu contains list of products|
|Figure 8: Product description|
|Figure 9: User form and online payment option to confirm booking|
Confirming the booking will make all the information will be POST to the attacker API web server served at hxxps://lapks[.]online/skyblue_888a/api/api.php?post_order. The figure below shows the filled data in the user form sent to the API server using the POST method.
|Figure 10: Intercept POST request of the data|
Fake payment gateway
|Figure 11: Load FPX.html in webview|
|Figure 13: Fake FPX webpage|
|Figure 14: Fake Maybank2u webpage|
|Figure 15: User password form|
|Figure 16: JS file used for post data of online bank credential|
|Figure 17: Intercepted request|
This is a critical part of the communication toward the API server (apart from the SMS stealer which will be mention in the next section) where the scammer retrieves and steals the credential of Malaysian's online banking accounts.
- Affin Bank
- Public Bank
- Bank Islam
- Hong Leong Bank
- Bank Muamalat
|Figure 18: Credit card form interface|
|Figure 19: JS file to post Credit Card data to API server|
|Figure 20: Redirect page after submit data|
|Figure 21: SMS receiver|
|Figure 22: SMS broadcast receiver to send the SMS to API server|
|Figure 23: https://codecanyon.net/item/ecommerce-online-shop-app/10442576?s_rank=19|
|Figure 24: Different decompiled code of original Solodroid application and MyPetronas|
|Figure 25: islandtravel.apk|
|Figure 26: kleanhouz.apk|
|Figure 27: MyPetronas.apk|
- Download and install application only from official Google Play Store.
- Be very careful enabling any dangerous permissions while using the application.
Indicator of Compromises
- pt-gift.store – Landing page
- gpost996.online – retrieve banking information
- lapks.online – retrieve user information
- sgbx.online – retrieve SMS
- hxxps://lapks.online/skyblue_888a/api/api.php?post_order – Post user information to C&C server
- hxxps://gpost996.online/post.php – Post online banking credential to C&C server
- hxxps://sgbx.online?pass=app168&cmd=sms&sid=%1$s&sms=%2$s – Post SMS data to C&C server