Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Share this blog

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Campaign is still active and growing; second bank app identified

Zimperium, in collaboration with a leading Asian bank, have uncovered the early stages of a coordinated effort by scammers to defraud existing and new bank customers. In this blog, we will:

  • Alert the general public about the scam before it gains traction; 
  • Outline the entire scam around the fake bank app; and
  • Show how it is also targeting other financial services, including another bank.

The campaign coincided with the bank’s announcement about its development of a digital exchange, enabling institutional investors and accredited investors to tap into a fully integrated tokenization, trading, and custody ecosystem for digital assets. 

Thus far, dozens have downloaded the app and have lost an average of $1,500 each. The app – first seen on VirusTotal on December 22, 2020 – has still not been identified as malware or scamware by any anti-virus companies. 

The campaign remains active and is, in fact, growing:

  • It appears to be downloadable via third party sites and/or phishing links;
  • The command and control servers are still operational;
  • The elaborate scam itself features, among other aspects, active customer support; and 
  • We’ve learned of a similar campaign targeting a second bank. We are reaching out to that bank directly, before revealing the name.  

Downloading the app

Once the app is downloaded from a third party store or phishing link and is opened, the victim is presented with the following login page:

Figures 1, 2: Fake login and registration page along with the “password retrieval” option

As part of the registration process, users are asked to provide an email address, account number, “rganization code” (note the typo appears in the app itself) and other details. 

In an attempt to appear legitimate, registration generates an automated email containing a verification code trying to impersonate a legitimate email from the bank (including using the bank’s name in the email address). We received verification codes when we registered with legitimate and fake information.  

Figure 3: Fake email for registration with verification code. (Note: “If not my operation”)

The entire communication takes place with a server that does not belong to the impersonated institution. Instead, the user has unknowingly shared personal and financial information with the attackers. 

Figure 4: The communication with C&C when trying to login with credentials

App experience

Once logged in, the application presents the victim with a seemingly legit cryptocurrency trading platform using the brand value of the impersonated organization as a lure. It looks more convincing with the dynamically changing prices.

Figures 5, 6: The Home and Trade pages that make use of information from Figure 8
Figure 7: The continuous pings to get the updated prices as seen in Figure 7

Customer support

Moreover, the presence of a customer support option provides the victim with additional confidence of being able to contact the financial institution (the scammers) with any questions or issues.

When we attempted this, we received the following:

Figures 8, 9: The customer support chat box presents the offer image and convincing text
Figure 10: Scam poster encouraging victims to “invest”

Customer support would be the first choice for the victim to complain about discrepancies, but the scammers cleverly set it up in such a way that it convinces the victim to “Recharge” and invest to reap (non-existent) benefits.

Making use of legitimate platforms that offer services to communicate with customers through customer support, the scammers offer “Customer Service Solutions” as seen below with this command and control’s response:

Figure 11: The URL for customer support as received from the C&C server

If the upward trend makes the victim interested in investing, the scammers have set up a “Funds Management” page allowing for the continued exploitation of the victim as seen below:

Figures 12, 13: The option to recharge and add funds to the account

The Recharge option mentioned above is the first go-to for a new victim to begin investing through the platform. 

The two investment options offered are “Online Pay” and “USDT,” where the victims were asked to chat with the customer support and pay online or transfer the funds to a provided BTC or ETH wallet and attach proof of the transaction.

Figures 14, 15, 16: The recharge options- Online Pay, BTC, ETH with “Important Notice”
Figures 17, 18: The BTC and ETH wallet’s transactions

What can you do?

It’s clear this campaign is just beginning and – as we mentioned – targeting a different bank already. Here’s what you can do:

From a consumer perspective, never download apps from third-party sites; rely solely on the App Store and Google Play. Be leery of apps that may have grammatical or other errors  – like “rganization code” which appeared in the app itself.  

From an enterprise perspective, Zimperium is the global leader in mobile device and app security, offering the only real-time, on-device, machine learning-based protection against Android, iOS and Chromebooks threats. We detect this attack and others like it. 

Please contact us to learn more. 

Avatar photo
Malware Analyst. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today