Overlay malware has emerged as one of the more pernicious threats on mobile devices, particularly Android phones, and researchers have now discovered a new SMS phishing campaign that uses overlay malware to steal credentials for mobile banking apps and messaging apps.
The attackers behind the campaign are using a wide range of lures and a diverse infrastructure, including a dozen command-and-control servers spread across Europe. Targeting users in a number of European countries, the campaign uses shortened URLs sent via SMS to trick victims into clicking on a malicious link and installing the malware. The SMS messages typically have some version of a notification for a failed shipment and though the campaign originated in Russia, it has now begun targeting users in Denmark, Italy, Germany, Austria, and the U.K.
Overlay malware is a specific form of mobile malware that is designed to mimic the look and feel of a target app. When a user opens her mobile banking app, for example, the installed malware will execute and produce an overlay screen that asks for the user’s credentials and blocks out the legitimate app. The technique has become increasingly popular among attackers as it’s often difficult to distinguish the overlay screen from the real app and it’s a simple method to harvest a large number of credentials quickly.
Researchers at FireEye, who have been tracking the newest SMS phishing campaign, say the attackers also have added new apps to their target list. They began with users of MobilePay and WhatsApp in a couple of countries, and now have expanded to WhatsApp users in many other European countries, as well as customers of other banks. The campaigns have been active since early this year, and FireEye researchers said the malware also has the ability to mimic the official Google Play store app.
The malware overlays a phishing view on top of the benign app.
The malware and attack infrastructure used in this campaign is typical of professional attacker groups and the campaign involves several steps.
“Threat actors typically first setup the command and control (C2) servers and malware hosting sites, then put the malware apps on the hosting sites and send victims SMS messages with an embedded link that leads to the malware app. After landing on the user’s device, the malware launches a process to monitor which app is running in the foreground on the compromised device,” Wu Zhou, Linhai Song, Jens Monrad, Junyuan Zeng, and Jimmy Su of FireEye wrote in an analysis of the campaign.
“When the user launches a benign app into the foreground that the malware is programmed to target (such as a banking app), the malware overlays a phishing view on top of the benign app. The unwary user, assuming that they are using the benign app, will enter the required account credentials, which are then sent to remote C2 servers controlled by threat actors.”
Overlay malware attacks are particularly effective on Android devices, which allow for the installation of software from third-party sources. Apple iOS only allows installs from the App Store–unless the device is jailbroken–so it is much more difficult to get a malicious app on an iPhone or iPad than on an Android device.