1.0 Introduction
MyCERT and NC4 had received several reports from Financial Institutions regarding their customers’ smartphones had been infected with malware through a scam campaign recently. National Cyber Coordination and Command Centre (NC4) has released an alert regarding this matter. Users may refer to the URL below for details:
2.0 Impact
 The victim suffered money loss through the non-consented transaction.
 Disclosure of personal information to scammers or unknown parties may increase similar scamming campaigns in future.
3.0 Modus Operandi
In summary, the modus operandi for this scam is as follows:
4.0 Preliminary Analysis
Binary Sha-256 Hash Size
bnm_d7_psigned 21cda890254d5519bb6dfee3a68025ca4ddfdb41a846ae5d9b2b556bb0b3474c 978 KB
bnm_h_signed.apk e010b28b36375a21fc08752235a9052a98cf4200e08a70c90a83cf3b1ed54c53 1.3 MB
bnm_m_psigned.apk a1494a3ccffc644da8470fd997c7f84446cd9dc961cae2703e15724a47730986 1.6 MB
Server Information:
IP Address Port Location Remark 88 South Korea Cloud Service, host malicious file 8080 Nevada
Cloud Service, 
C2 server 8080 South Korea
Cloud Service, 
C2 server
Scammer Information:
Phone Number Used
When victim browses to the given link using mobile browser, it will display a web page with Bank Negara logo. The victim will be instructed to click on the logo to download an app and directed to install it on their device.
JavaScript is used on the website to ensure only mobile browser can see the content. If the victim is using the browser on their PC, they will be redirected to PDRM official website.
5.0 Behaviour Analysis
1. Scammer guide victim to enable “Unknown Sources” in Settings -> Security to enable application installation from unverified Source.
2. The victim was directed to a link given by phone call or mobile messaging app and asked to open using mobile browser and click on a BNM logo.

3. A file will be downloaded into the victim phone. The victim will be guided to install the APK on their device.
4. Once installed and open, the app will request to become default SMS app.
5. The app then displays a page for the user to key-in all the required credential information to log in to BNM system. The scammer will guide victim to fill up necessary information.

6. Actually, the page is a webpage hosted at C2 server where all the information supplied by the victim will be parsed to this page. The malicious app also records victim’s sim number and tied it to the information supplied by the same app.
7. After victim press Enter button on the screen, the app submits the information to C2 server and the victim will be served with a page "Submit OK. your information is under checking" (Page contain spelling error).
8. The app then starts monitoring the SMS inbox and continuously communicated with the C2 server.