1.0 Introduction
MyCERT had received quite a number of reports from Financial Institutions regarding their customers’ smartphones had been infected with malware through a phishing campaign recently.

Earlier, the scammer had disguised as law enforcement officer and made several calls to the victims, claiming that victims have been involved in money laundering activities. Scammer then threaten the victims to issue warrant to arrest them, forcing them to download and install and unknown application. The malicious URL to download the unknown app is provided through SMS, or through phone call if victim fail to do it. Subsequently, victim found that their money from their account has been illegally transferred without their consent.
 
2.0 Impact
•    Victim’s suffer money loss through non-consented transaction.
•    Disclosure of personal information to scammers or unknown parties may increase similar scamming campaigns in future.

3.0 Modus Operandi
When victim browse to the given link using mobile browser, it will display a web page with PDRM logo. Victim will be instructed to click on the logo to download an app and directed to install it on their device.
 
When the application is installed and open, it will set itself as a default messaging application replacing the official messaging application on the phone, plus running as a service rather than a normal application so it will not be listed in the application list.
 
The application has requested several unauthorised permissions to gain access to victim’s smartphones. In the snapshot, the app request for permission to read and send SMS. We suspect the app maliciously create transaction from the phone and read victim’s TAC code to complete the online banking transaction.