A recent phishing campaign has emerged, leveraging socially engineered SMS messages to deliver malware to Android devices. This operation appears to impersonate Iranian governmental and social security entities, aiming to extract credit card information and facilitate financial theft from victims’ bank accounts.
In contrast to other forms of banking malware, which typically rely on overlay attacks to capture sensitive data covertly, the initiative identified by Check Point Research utilizes a more deceptive method. Victims receive an SMS that appears legitimate, including a link that, when clicked, leads to the download of a malicious application onto their device.
According to Check Point researcher Shmuel Cohen, the malicious app not only harvests credit card numbers but also intercepts two-factor authentication (2FA) SMS messages, effectively converting the victim’s device into a bot. This bot can subsequently disseminate similar phishing messages to further potential victims.
The cybersecurity firm has uncovered hundreds of phishing-oriented Android applications that masquerade as tracking services, banking systems, dating and shopping platforms, as well as cryptocurrency exchanges and government services. These botnets are marketed as “ready-to-use mobile campaign kits” through Telegram channels for surprisingly low prices, ranging from $50 to $150.
The initial phase of the attack often starts with a deceptive notification purportedly from the Iranian Judiciary, prompting users to review a fictitious complaint against them. This link leads victims to a site that mimics a government webpage, where they are asked to input personal information alongside downloading an unauthorized APK file.
Once installed, the rogue application demands excessive permissions, enabling it to perform tasks typically not associated with legitimate government applications. The app also presents a counterfeit login screen that simulates Sana, Iran’s electronic judicial notice system, pressuring the victim to pay a nominal fee of $1 to proceed.
Victims who comply are subsequently redirected to a fraudulent payment page designed to capture their credit card details, while the infiltrated app clandestinely functions as a backdoor, enabling the theft of one-time passcodes sent by credit card companies and facilitating further financial fraud.
Moreover, the malware is equipped with extensive capabilities to siphon SMS messages to an attacker-controlled server, conceal its icon on the home screen to evade removal attempts, and deploy additional payloads. This enhances its ability to spread custom phishing messages, leveraging contact information harvested from the device.
“This strategy allows attackers to send phishing messages using legitimate user phone numbers rather than from a single source, reducing the likelihood of detection by telecommunications firms,” explained Cohen.
Compounding the issue is the attackers’ lack of operational security, which exposes their server to third-party access, unveiling phone numbers, contacts, and hosted bots. By capturing 2FA codes, these operatives can systematically withdraw funds from victim accounts, even if individual transactions yield only minor amounts. The proliferating trend of ‘botnet as a service’ underscores growing cybersecurity vulnerabilities, particularly for Android users.
This incident presents key insights into the tactics and techniques reflected in the MITRE ATT&CK framework, including initial access through phishing methods, persistence via malware installation, and data theft culminating in financial fraud. Observing these patterns can aid businesses in developing stronger defenses against such sophisticated cyber threats.
