Slovakian cyber security firm ESET Research has published a report detailing how malicious Android apps have been targeting customers of eight Malaysian banks. The campaign has been ongoing since late 2021 and apparently uses fake apps and websites of legitimate Malaysian companies to phish for banking credentials.
It was first identified when a Facebook user shared his experience of almost being scammed through an app impersonating the legitimate company Maid4u. Since then, a total of seven websites have been attributed to the impersonation campaign with the majority of them being cleaning services: Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, and a pet store named PetsMore.
The copycat websites will direct users to download apps from the Google Play Store, although the buttons will instead lead the unsuspecting victims to servers under the scammers’ control. The attack will prompt users to enable “Install unknown apps” on their phones.
The campaign is quite sophisticated as it will ask users to sign in after installing the app, though there’s no actual account validation and any input will be declared correct. The fake e-shop matches much of the interface of the real store and during checkout, presenting victims with an option to pay with a bank transfer.
Users are then presented with a fake FPX payment page and given an option between eight banks: Maybank, Affin Bank, Public Bank Berhad, CIMB, BSN, RHB, Bank Islam Malaysia, and Hong Leong. Once they submit their banking details, they’ll receive an error message regarding their transaction. However, at this point, the bad actors have already received the credentials.
To finish the scam, the fake app also forwards all SMS to the operators in case they contain Two-Factor Authentication (2FA) codes sent by the bank. ESET notes that the phishing campaign is only operating in Malaysia for now, but doesn’t disqualify the possibility of it expanding to other countries later on.
