MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2018

MA-694.012018: MyCERT Alert – Fake Bank Negara Malicious APK

Date first published: 12/1/2018


1.0 Introduction
MyCERT and NC4 had received several reports from Financial Institutions regarding their customers’ smartphones had been infected with malware through a scam campaign recently. National Cyber Coordination and Command Centre (NC4) has released an alert regarding this matter. Users may refer to the URL below for details:


2.0 Impact
 The victim suffered money loss through the non-consented transaction.
 Disclosure of personal information to scammers or unknown parties may increase similar scamming campaigns in future.


3.0 Modus Operandi

In summary, the modus operandi for this scam is as follows:




4.0 Preliminary Analysis

Sample:
BinarySha-256 HashSize
bnm_d7_psigned21cda890254d5519bb6dfee3a68025ca4ddfdb41a846ae5d9b2b556bb0b3474c978 KB
bnm_h_signed.apke010b28b36375a21fc08752235a9052a98cf4200e08a70c90a83cf3b1ed54c531.3 MB
bnm_m_psigned.apka1494a3ccffc644da8470fd997c7f84446cd9dc961cae2703e15724a477309861.6 MB



Server Information:
IP AddressPortLocationRemark
67.229.128.7488South KoreaCloud Service, host malicious file
23.244.168.1488080Nevada
Cloud Service, 
C2 server
183.86.209.1028080South Korea
Cloud Service, 
C2 server



Scammer Information:

Phone Number Used
+6011-25662436
+6011-12081457
+6011-2302925



When victim browses to the given link using mobile browser, it will display a web page with Bank Negara logo. The victim will be instructed to click on the logo to download an app and directed to install it on their device.

 

JavaScript is used on the website to ensure only mobile browser can see the content. If the victim is using the browser on their PC, they will be redirected to PDRM official website.




5.0 Behaviour Analysis

1. Scammer guide victim to enable “Unknown Sources” in Settings -> Security to enable application installation from unverified Source.




2. The victim was directed to a link given by phone call or mobile messaging app and asked to open using mobile browser and click on a BNM logo.




3. A file will be downloaded into the victim phone. The victim will be guided to install the APK on their device.





4. Once installed and open, the app will request to become default SMS app.





5. The app then displays a page for the user to key-in all the required credential information to log in to BNM system. The scammer will guide victim to fill up necessary information.





6. Actually, the page is a webpage hosted at C2 server where all the information supplied by the victim will be parsed to this page. The malicious app also records victim’s sim number and tied it to the information supplied by the same app.





7. After victim press Enter button on the screen, the app submits the information to C2 server and the victim will be served with a page "Submit OK. your information is under checking" (Page contain spelling error).





8. The app then starts monitoring the SMS inbox and continuously communicated with the C2 server.





9. When an SMS is detected, the app then forwards the SMS to the C2 server using AES encryption.




10. The key to decrypt the message is hardcoded inside the application with key = “tjdflklwer,.sdfs”. (See screenshot below).






11. The app continuously monitors the SMS inbox (nonstop) and communicate with the C2 server in the background.

12. Even if victim reboots their phone, the app will autorun because the app is running as service and continuously monitor the SMS.

13. MyCERT has identified the IP addresses and URLs that have been used to spread the malicious installer and act as C2 server, and also escalated to respected parties for takedown to prevent from further affecting Malaysian citizens.


6.0 Recommendations
If you received such scam phone call, which impersonates local law enforcement agency, you can immediately:
1. Immediately end any suspicious call and never respond to any instruction
2. Refer directly to the financial institution mentioned during the call and check with them.
3. Contact the respective law enforcement agency for verification.
4. Report the incident to cyber999@cybersecurity.my for MyCERT incident response.
5. Users may forward to Cyber999 the malicious application for further analysis.


General best practice for smartphone users:
1. Verify an app's permission before installing it i.e. online banking app should not require access to the camera, microphone and SMS permission.
2. Do not click on adware or suspicious URL sent through SMS/messaging services. A malicious program could be attached to collect user's information.
3. Verify given URLs with the official financial institution or law enforcement agency website. On mobile, site URL may appear differently from desktop browser, make sure to verify it too.
4. Always run a reputable anti-virus on your smartphone/mobile devices, and keep it up to date regularly.
5. Don't use public Wi-Fi networks for bank transactions and turn off the Bluetooth connection when not in use. These can be open windows for eavesdroppers intercepting the transaction or installing spyware and other malware on user's smartphone/tablet.
6. Update the operating system and applications on smartphone/tablet, including the browser, in order to avoid any malicious exploits of security holes in out-dated versions.
7. Do not root or otherwise 'Jailbreak' your phone. This gives administrator privilege to access the device filesystem and malicious app could take advantage. 
8. Avoid side loading (installing from non-official sources) when you can. If you do install Android software from other sources than the official app store, be sure that it is coming from a reputable source.
9. Please ensure to turn off the “Unknown Source” option in the Security Settings page.



Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442 
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Cyber999 Mobile Apps: IOS Users or Android Users



7.0    References