Security analysts have recently uncovered a persistent Android mobile banking Trojan campaign targeting major Iranian banks. First discovered in July 2023, the campaign has continued to evolve with enhanced capabilities, as reported by Zimperium malware analysts Aazim Bill SE Yaswant and Vishnu Pratapagiri.
In a previous investigation, Zimperium identified four clusters of credential-harvesting apps mimicking major Iranian banks. These apps were found to steal banking login credentials, credit card information, hide app icons, and intercept SMS for OTP codes. The latest findings from Zimperium reveal 245 new app variants associated with the same threat actors, with 28 of these variants remaining undetected by industry-standard scanning tools.
The new iterations of the malware target additional banks and show an interest in collecting information about cryptocurrency wallet applications, indicating a potential expansion of the campaign. The second iteration of the malware introduces new capabilities, including the abuse of accessibility services for overlay attacks, auto-granting of SMS permissions, prevention of uninstallation, and data exfiltration using GitHub repositories. The research also highlights vendor-specific attacks on Xiaomi and Samsung devices, as well as a potential interest in targeting iOS devices.
Yaswant and Pratapagiri stress the importance of runtime visibility and protection for mobile applications in light of the increasing sophistication of modern malware. They recommend that security practitioners explore the Indicators of Compromise (IOCs) provided on Zimperium’s GitHub repository to strengthen defenses against this evolving threat.
For more information on similar threats, check out our article on the SpinOk Trojan compromising 421 million Android devices. Stay informed and proactive in safeguarding your mobile devices against malicious attacks.