ul
Latrina Cobbett
Previously released research identified four clusters of credential-harvesting apps imitating four major Iranian banks (Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran). In total, 40 apps were found that were reported to circulate from December 2022 to May 2023 and have the capability to:
The apps mimicked legitimate versions found on Cafe Bazaar (a popular Iranian market place) and were distributed through several phishing websites, with some of them functioning as command and control servers.
These samples can be directly linked to the same threat actors and represent two additional iterations of Iranian mobile banking malware since the original research. The first iteration is identical to what was previously reported but includes new targets, the second iteration includes many new capabilities and evasion techniques to make the attack more successful.
The table below shows the banks that were targeted in the first campaign (on top) and the new banks targeted in the second iteration (highlighted in dark gray). The newly weaponized targets were mentioned in the original research but not yet actively targeted. At the same time, the table shows new non-weaponized targets (highlighted in light gray).
In addition to the discovery of the newly targeted banks, we have seen the ambitions of the threat actors getting bigger since they are also collecting information about the presence of several cryptocurrency wallet applications. Based on the development of the previous variants, it is highly likely that these crypto wallets will be targeted in the near future. The following table shows the full list of apps targeted by this campaign.
An analysis of the Command and Control (C&C) servers used by the campaign showed that some servers have open directories containing its PHP code. By analyzing them, it was possible to get a better understanding on how the data is exfiltrated from the victims to the malware operators.
Analyzing the code of the C&C, we found Telegram channel IDs and bot tokens. This information is used to send the data collected to a channel for distribution. The PHP code used to do this is shown in Figure 2.
We observed some variants that are communicating with Github repositories. Upon closer analysis, we found that the repositories contain a README file with a base64 encoded text of the latest live phishing and C&C server URLs.
Another common technique used to fetch active phishing sites consists of the use of C&C with the sole purpose of distributing active links. This approach allows for the server URL to be hardcoded on the application without the risk of being taken down.
Figure 5 shows a screenshot of an example of one of these intermediate C&C servers. The file urlx.txt contains a base64 encoded string that, similar to what was shown in the previous section, contains the URL of the phishing site. The URL encoded in the image is: hxxps://webpagea.click
A drawback of using accessibility services is that it requires the user to grant permissions. For this reason, attackers implemented vendor specific attacks. In particular, they are targeting Xiaomi and Samsung devices.
Figure 6 shows a code snippet implemented by the app in which the device manufacturer is checked and certain actions are taken only for the previously mentioned manufacturers. The defined functions auto-grant SMS permissions, prevent the app uninstallation, and click on matched strings. Figure 7 extends the previous figure by showing Samsung-specific code.
The phishing sites used by this malware also verify if the page is opened by an iOS device. In that case, a website mimicking the iOS version of the app is served (see Figure 8). However, we were not able to find the IPA files that could be spawning the webview on iOS. This suggests that, at the moment, the iOS campaign could be under development, or distributed through an, as of yet, unidentified source.
The phishing campaigns used are sophisticated, trying to mimic original sites in the closest detail. Figure 9 shows an example of a site that prompts the user to either log in or register and shows different screens for each of the options.
The channels were reported to Telegram so they could be taken down. Due to the sensitivity of the data, we are not disclosing the names of the channels in this blog post. However, we analyzed all messages posted on the open channel and found the distribution of the data collected by the attackers. The distribution of messages is shown in Figure 11. It can be seen that the most common type of message sent to the channel is OTP codes (as is expected, since a single user can produce several of these messages), followed by login credentials and credit card numbers.
It is evident that modern malware is becoming more sophisticated, and targets are expanding, so runtime visibility and protection are crucial for mobile applications. During our upcoming Mobile Banking Heist Report, we will examine how the largest banking and fintech apps continue to be targeted by advanced malware attacks.
Although our research focuses on mobile banking apps, malware poses a similar threat to enterprise data and networks accessed by employee mobile devices. As a solution to this risk, Zimperium offers Zimperium Mobile Threat Defense (MTD). Designed with privacy as a priority, Zimperium MTD delivers extensive security for mobile devices within enterprise environments. It effectively safeguards both Bring Your Own (BYO) and company-owned devices from a range of threats including device vulnerabilities, network attacks, malware intrusions, and phishing attempts.
This study aims at providing a hybrid model of mobile banking adoption in the banking industry of Iran. Based on reviewing the models of technology adoption, the main effective factors were divided into four general categories including personal, social, organizational and technological factors. The population of the study consisted of the customers of public banks. With regard to the infinity of the population, based on Morgan table, 384 customers were selected as the sample of the study. A standard questionnaire was used to collect the required data for all the research variables. The research hypotheses were tested using structural equation modeling and based on AMOS software. The results show that some personal, social, organizational and technological factors have a positive significant effect on perceived usefulness and perceived ease of use of mobile banking. Perceived usefulness and perceived ease of use have a positive significant effect on the attitude towards mobile banking. In addition, the positive significant effect of attitude towards the use of mobile banking on the tendency to use mobile banking and vice versa was confirmed.
Davis, F.D. (1986). A technology acceptance model for empirically testing new end-user information systems: Theory and results. Unpublished doctoral dissertation, Sloan School of Management, MIT, Cambridge, MA.
Donnelley, T. Jr. (2004). Extending the technology acceptance model: Additional factors affecting the adoption of e-commerce by senior American residents. Doctoral dissertation, Nova Southeastern University, Florida.
Fatemi-e-ardekani, V. (2005). E-banking and its impact on banks' administrative processes: the case of Internet bank, The researches of the Third National Conference on E-commerce, Tehran: Planning department of Economic Affairs of the Ministry of Commerce.Iran. (in Persian)
Saleh Ahmadi, Z., Karimzadegan Moghadam, D., & Amirkhani, A.H. (2011). Technology acceptance models and their application in technology transfer, The First Conference on Smart Computer Systems and their Applications, Payame Noor University, Tehran. (in Persian)
Vafaei, N. (2010). Identification and Prioritization of the Factors Affecting the Adoption of Mobile Banking from the Viewpoint of Customers (The case of Melli Banks Branches in Iran, Tehran). Master Thesis of Business Administration, Tarbiat Modarres University. (in Persian)
To ensure the integrity of the blind peer-review for submission to this journal, every effort should be made to prevent the identities of the authors and reviewers from being known to each other. This involves the authors, editors, and reviewers (who upload documents as part of their review) checking to see if the following steps have been taken with regard to the text and the file properties:
LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.
The market for POS terminals and merchant acquiring in Venezuela has shown a positive trend in the first quarter of 2023, according to our latest market research report. The number of POS terminals for credit and debit cards increased by 7.2% and 9.1% respectively, compared to the same period of 2022. The number of affiliated merchants for credit and debit cards also grew by 15.4% and 17.8% respectively. The quarterly variation of these indicators was also positive, with a growth of 2% for credit card POS terminals, 2.7% for credit card affiliated merchants, 1.9% for debit card POS terminals, and 2.5% for debit card affiliated merchants. These figures reflect the increasing demand for electronic payment methods in the country, as well as the efforts of the financial sector to expand its coverage and offer more options to consumers and businesses.
However, not all the indicators were in the green. The number of ATMs decreased by 12.4%, from 5,241 in March 2022 to 4,592 in March 2023. This may be due to the high maintenance costs, security risks, and low profitability of these devices, as well as the preference of customers for other alternatives such as mobile banking, online transfers, or QR codes.
The ranking of acquirers with the highest annual growth in their market share in credit card POS terminals shows that BANCO DE VENEZUELA was the leader, with a 9.81% increase, followed by NACIONAL DE CREDITO with 5.75%, BANCAMIGA with 3.35%, BANESCO with 0.39%, and BANCO EXTERIOR with 0.22%.
7fc3f7cf58