This new Android malware is draining bank accounts across the world - here's what you need to know

(Image credit: Iaremenko Sergii / Shutterstock)

A new malware campaign on Android has been discovered stealing people’s personally identifiable information (PII) and banking data, and in some cases, even stealing money from their bank accounts.

As per a report by security expert Pol Thill,  a threat actor known as Neo_Net has been targeting bank users worldwide since June 2021, focusing mostly on victims in Spain and Chile. Among the banks whose clients are being targeted are Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING.

The attacker, who seems to be located in Mexico, did two things: ran a data-harvesting phishing campaign, and distributed Android malware designed to steal multi-factor authentication (MFA) codes.

According to the researchers, the attacker created convincingly-looking landing pages, which could easily be mistaken for authentic websites belonging to the abovementioned banks. Then, they’d run a SMSishing campaign, urging the victims to click on the link and leave their identity data which the attackers would harvest using a Telegram bot. 

"The phishing pages were meticulously set up using Neo_Net's panels, PRIV8, and implemented multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners," the researcher said in his writeup.

In some cases, the attackers would also trick victims into downloading malicious Android apps that pretend to be security software but are, in fact, just there to steal MFA codes. Upon installation, the apps request SMS permissions.

Analysis: Why does it matter?

There are two important takeaways from this malicious campaign: one - it’s highly successful, and two - it seems to be deploying a proprietary SMSishing platform called Ankarex.

"Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims," Thill said in his analysis of the campaign.

The actual sum is probably a lot bigger than that, SentinelOne added in its report, as older operations, and transactions that don’t require multi-factor authentication were not added to the total sum.

This specific campaign has been active between June 2021 and April 2023, the researcher said, suggesting that the threat actor was probably active for a lot longer. He’s described as a “seasoned cybercriminal” that not only runs malicious campaigns but also sells tools and services on the dark net. Among other things, Neo_Net was observed selling phishing planets, compromised victim data, and the smishing-as-a-service tool called Ankarex. 

It’s this Ankarex platform that was recently used in this campaign, the report suggests, as it was apparently active since May 2022. At the moment it’s being actively promoted on Neo_Net’s Telegram channel which boasts some 1,700 subscribers. 

"The service itself is accessible at ankarex[.]net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone numbers," Thill said.

Despite the fact that the threat actor seems to be focusing almost exclusively on the Spanish-speaking community, the campaign still casts a relatively wide net. The researcher states that Neo_Net attacked clients of 50 financial institutions, 30 of which were headquartered either in Spain, or Chile. The full list of affected banks can be found on this link

What have others said about the malicious campaign? 

In their writeup, SentinelOne calls Neo_Net the “Kingpin of Spanish e-crime”. The publication states the threat actor maintains a public GitHub profile under the name “notsafety”, as well as a Telegram account where he presents his work. It’s also here where the hacker claims he’s the founder of Ankarex. Cybersecurity news reports that the sensitive data the hacker stole included telephone numbers, national identity numbers, and names of thousands of victims. Social networks have been unusually quiet about the report, with visitors on both Reddit and Twitter deciding not to comment on the news.

Banking Trojans are a common occurrence in the world of cybercrime. Just a week ago, researchers discovered the Anatsa banking trojan as being behind multiple confirmed cases of fraud. Anatsa was being distributed via Android apps sold on the Google Play Store, ThreatFabric reported at the time. The apps had more than 30,000 installations and targeted almost 600 financial applications from around the world. 

They targeted victims in the US, Germany, Austria, and Switzerland. Anatsa was first discovered back in 2020. 

Furthermore, as customers typically have their guard up when it comes to online banking, many of the malware droppers identified by the cybersecurity researchers have posed as PDF viewers. Having informed the Play Store of its findings, ThreatFabric found Google quick to react, but the threat actors just as quick to republish apps of a similar nature.

Go deeper

If you want to learn more about staying safe online, make sure to check out our guide for the best antivirus programs out there, as well as best endpoint protection tools. You should also read up on the best firewalls, as well as the best ID theft protection software right now.  

Via: The Hacker News

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.