1.0 Introduction
MyCERT received a report concerning several fraudulent websites that impersonate Petronas Malaysia for suspicious purposes. We identified cybercriminals exploiting a malicious android application (APK) in a campaign targeting Petronas customers.
Victims will be directed to a fake website that impersonates the Petronas SYNTIUM brand that offers an All-Inclusive Car Service Package and lures victims into downloading a malicious APK file, to be used for booking the All-Inclusive Car Service package.
2.0 Description
Once the malicious APK is downloaded into the victim’s phone, the victim will key in their personal information such as name, telephone number, and shipping address into the malicious application for booking the All-Inclusive Car Service Package. The malicious APK file will collect this information, input from the victim, and send it to a C&C server accessible by the cyber criminals. After that, the victim will be prompted to make a payment, either via online banking or credit card modes within the malicious application. If victims choose, online banking, they will be prompted to a fake online banking website and victims will insert their banking credentials (believing it is a legitimate online baking website) in order to proceed to make payment. The banking credentials will be collected by the malicious APK and will be sent to a C&C server. The malicious APK file also has the capability to capture every incoming SMS including SMS sent by legitimate online banking websites cybercriminals containing authorisation/TAC codes, which can be used by cyber criminals for unauthorised online banking transactions.
3.0 Impact
Financial loss and disclosure of banking credentials and other Personal Identifiable Information (PII).
4.0 Affected System and Devices
Android.
5.0 Indicator of Compromised
Table 1: List of Indicators of Compromise (IOC) for MyPetronas Campaign
| Indicators | Indicator type | Description |
| 9b839b76e2fadec2f461b7b440489601 | MD5 | Hash of the APK sample |
| c6fa3333bccfe51ef149b8536eeaa988e1ca6343 | SHA-1 | |
| 954cf238d370b6420908956997f60abfc6153053bc6cc4c458c25320568fc729 | SHA-256 | |
| myworkshop.apk | File name | File name of the APK file |
| hxxps://pt-gift[.]store hxxps://petronas-gift[.]store hxxps://myworkshop[.]store | URL | Landing page URL |
| hxxps://lapks.online/skyblue_888a/api/api.php?post_order hxxps://gpost996.online/post.php hxxps://sgbx.online?pass=app168&cmd=sms&sid=%1$s&sms=%2$s | URL | C&C URL |
Figure 1: Landing Page That Hosts the Malicious APK file via the “Booking Here” Button
6.0 Recommendations
The main motive of the malicious APK is possibly to steal banking credentials belonging to victims which could be used for malicious purposes. MyCERT would highly recommend the followings:
- DO NOT SIMPLY DOWNLOAD ANY APPLICATIONS SENT BY SOMEONE CLAIMING TO BE OFFERING SERVICES OR SELLING GOODS.
- Verify application permission and the application author or publisher before installing it.
- Avoid side loading (installing from non-official sources) when you can. If you do need to install Android software from a source other than the trusted marketplace, be sure that it is coming from a reputable source.
- Do not click on adware or suspicious URL sent through SMS/messaging services.
- A malicious program could be attached to collect users' information.
- Always run a reputable anti-virus on your smartphone/mobile devices and keep it up to date regularly.
- Update the operating system and applications on smartphones/tablets, including the browser, in order to avoid any malicious exploits of security holes in out-dates versions.
- Do not root or 'Jailbreak' your phone.
- Contact relevant authorities such as Cyber999 for any inquiries and assistance needed related to this threat.
Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
7.0 References
- MA-834.052022: MyCERT Alert - SMSSpy campaign to steal Malaysian banking user credential
https://www.mycert.org.my/portal/advisory?id=MA-834.052022 - MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
https://www.mycert.org.my/portal/advisory?id=MA-790.072020 - MA-690.122017: MyCERT Alert - Fake PDRM Malicious APK
https://www.mycert.org.my/portal/advisory?id=MA-690.122017 - MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
https://www.mycert.org.my/portal/advisory?id=MA-695.012018 - MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK
https://www.mycert.org.my/portal/advisory?id=MA-694.012018 - https://www.virustotal.com/gui/file/954cf238d370b6420908956997f60abfc6153053bc6cc4c458c25320568fc729
- https://notes.netbytesec.com/2022/09/scam-android-app-steals-bank.html