1.0 Introduction
MyCERT and NC4 had received several reports from Financial Institutions regarding their customers’ smartphones had been infected with malware through a scam campaign recently. National Cyber Coordination and Command Centre (NC4) has released an alert regarding this matter. Users may refer to the URL below for details:
 
 
2.0 Impact
 The victim suffered money loss through the non-consented transaction.
 Disclosure of personal information to scammers or unknown parties may increase similar scamming campaigns in future.
 
 
3.0 Modus Operandi
 
In summary, the modus operandi for this scam is as follows:
 
 
4.0 Preliminary Analysis
 
Sample:
Binary Sha-256 Hash Size
MaintainV3.apk 6208b01e4c78ba3bae9685791ef1a663f1ea158eb3f1e2474e5f35377244283a 7.2 MB
Server:
IP Address Port Location Remark
144.217.88.38 80 Canada (OVH) Cloud Service, host malicious file, C2 server
 
Scammer detail:
Phone Number Used
+6011- 14149637
 
 
When victim browse to the given link using mobile browser, it will display a web page with Bank Negara logo. The victim will be instructed to click on the logo to download an app and directed to install it on their device.
 
 
 
 
JavaScript is used on the website to ensure only mobile browser can see the content. If the victim is using the browser on their PC, they will be redirected to some page at Baidu website.
 
 
 
5.0 Behaviour Analysis
 
1. Scammer guide victim to enable “Unknown Sources” in Settings -> Security to enable application installation from unverified Source.
 
 
 
 
 
2. Victim was directed to a link given thru by phone or messenger and asked click on a BNM logo.
 
 
 
 
 
3. A file will be downloaded into the victim phone. The victim will be guided to install the APK on their device.
 
 
 
 
 
The app will request to become default SMS app.
 
 
4. Once Installed and open, it will display the main page of this mobile application.
 
 
 
 
5. The app then displays a page for the user to key-in all the required credential information. The scammer will guide victim to fill up legit Malaysian online banking credentials.
 
 
 
6. When victim clicks “Confirm” button, the application will send those data to the C2 server.