Since the beginning of 2016, PhishLabs has observed a number of malicious mobile applications targeting users of popular payment card companies and online payment sites. These attacks combine traditional, browser-based phishing attacks with the mobile platform in order to create convincing mobile applications. These applications claim to afford the user access to their accounts directly from their mobile device; however, their only functionality is the capability to collect credentials and personal information and deliver that stolen information to the attacker. Our research has indicated that these malicious applications have been created by the same actor or group of actors.

Delivery Method: A Trusted Source

While this attack model is certainly disconcerting, the delivery method for these applications is even more unsettling. These applications are available to users directly from a trusted location – the Google Play Store. The approval process for those who wish to publish their applications on the Play Store has historically been developer-friendly. Prior to 2015, security issues and other violations of the Terms of Service were handled strictly on a reactive basis. Applications published on the Play Store were only reviewed by Google following a user report of a violation. Providing a convenient publishing process for developers meant sacrificing security for the end user. In 2015, Google announced a change to its publishing process, indicating that each application submitted would be reviewed by a human prior to being approved for distribution on the Play Store. This review is partially automated to aid the reviewers and keep time to publication down, presumably creating a balance between security for users and expediency for developers.

All of the applications reviewed for this post were identified by PhishLabs after that implementation of the human-review policy. This calls into question the efficacy of the practice, as even a cursory investigation of these applications makes it clear that they are not being offered by the brands that are being impersonated. Further analysis demonstrates that they are not only brand abusive, but overtly malicious.

Actor Information

There is evidence that these applications targeting the payment card and online payment industries have been created by the same actor or group of actors. On multiple occasions, PhishLabs observed multiple applications with similar naming conventions targeting different companies being published to the Play Store on the same day. This actor typically registers malicious look-alike domains utilizing a domain privacy service. In some instances, however, the actor registered domains using email addresses provided by Tutanota, an encrypted email service. Applications created earlier in 2016 typically included a reference to the targeted online payment site or payment card company in the domain name. However, more recent applications were created using look-alike domains that mimic popular cryptocurrency companies. It is possible that these look-alike domains are also hosting content targeting the cryptocurrency industry; however, this behavior has not been observed. Below are some examples of domains and email addresses utilized in mobile phishing applications created by this actor.

newdesigns2016.biz

mylocalbitcoins.mobi

localbitcoinsfast.com

blochaingo.com

net20craps@tutanota.com

netsupreme20@tutanota.com

Red Flags: Indicators of Malicious Activity

PhishLabs has identified 11 mobile applications so far in 2016 targeting customers of popular payment card companies and online payment sites. In each instance, these applications were published to Google Play. The companies whose customers are targeted by these attacks typically provide links to their official mobile applications directly from their website. In one case, a targeted company explicitly states on their website that no mobile application exists for their company and that users should be wary of any mobile application using their brand.



Mobile Phishing Application Login Screens

The functionality behind these applications is simple, but the results are elegant. The applications display a phishing site which has been optimized for viewing on mobile devices, creating a fluid and authentic login experience. That is, until the user's login credentials fail to provide them access to their account.

The MainActivity class contains the code that is executed immediately after the application is launched. This class contains the entirety of the functionality of these applications in just a small amount of code. The application first checks for Internet connectivity. If Internet connectivity is available, the application uses Android's WebView class to display the contents of a URL which is hard-coded into the application. If no Internet connectivity is available, a message is displayed to the user indicating that they are “Not connected to internet”.



MainActivity Class Example

The other component of these attacks, the phishing site, is also relatively straightforward. The attacker purchases look-alike domains and crafts a phishing site to correspond with the mobile application. In general, these phishing sites present the user with an interface that looks similar to the target organization's website and provide the user with an account login interface. This login screen does contain some rudimentary validation based on the target organization's actual login procedure. For instance, if the target organization requires a user ID that is a minimum of 6 characters, the application will also contain this requirement. After submission, login credentials are processed through a form receiver script and funneled to the attacker. The user is presented with subsequent screens which contain forms to collect additional information, including security questions. Ultimately, the user is returned to the original login screen and presented with an error message stating “Some of the information you entered is incorrect” or “The Username and Password combination you entered does not match the information on file. Please try again”. A snippet of HTML code for a mobile phishing application's login form is shown below along with the corresponding Internet traffic following submission of the form.



HTML Code and HTTP Traffic

While the inner workings of these attacks are not sophisticated, the repercussions of functional mobile phishing applications finding their way into legitimate mobile app repositories are significant.

Though the focus of this post is mobile phishing applications targeting the payment card and online payment industries, it is expected that this tactic will spread to target other industries. Mobile phishing applications are an attractive attack vector for multiple reasons. This attack eliminates the need to spam out large numbers of phishing lure emails by providing the application to a population of users who are already frequenting the Google Play store. In turn, the attack also eliminates email as a common detection source. The observed applications also avoid referring users to the legitimate site of the targeted organization, thereby eliminating another detection source. Once an application is detected and reported for removal, applications often remain available on the Play Store for several days. The large number of security violation reports received and processed by Google frequently results in a slow response. In Google's defense, they are not the only company who struggles to detect these mobile phishing applications.

Combating the Mobile Phishing Threat

PhishLabs works to detect and mitigate mobile threats targeting the customers of our clients. With millions of applications available on the Play Store, it is inevitable that attackers will target some companies that do not currently have the benefit of PhishLabs protection. Assuming that applications like the ones examined in this post will continue to make it through the Play Store review process, it is important that users take some additional precautions to protect themselves from fraudulent apps. Typically, security experts advise users to avoid installing applications from third-party stores, but that advice is inadequate in this case. If you are unsure of the legitimacy of an application on the Google Play Store or any other official app store, make sure that the provider offers a legitimate mobile application by checking their official website or contacting them directly. Often, companies will provide links directly from their official website to their official application in the Play Store. Do not utilize unsolicited mobile application download links provided via email or SMS. While these types of lures are not required for mobile phishing attacks to be successful, it is not inconceivable that an attacker would utilize them. Ultimately, Google will need to continue to refine their review process in order to provide proactive protection to Android users. There is no doubt that security threats in general are trending towards increased complexity; however, these malicious applications demonstrate that simple attacks can still be highly effective.



For more information on how to stop actors from abusing your brand to carry out online fraud, click here.