Spoofed Asian Bank App Tricks People to “Invest” Thousands

• A new tricky campaign is using well-crafted bank spoofing apps to convince users to “invest” in crypto.
• The victims source the app from outside the store and then share sensitive information with the actors.
• The investments go straight into the actors’ wallets, while victims are made to believe they’re holding the tokens.

There’s a new scamming campaign unfolding in Asian countries, using a cloned app that spoofs the portal of a well-known bank in the region. The real bank worked closely with Zimperium to uncover this campaign while it is still at an early stage, so this publication is to raise awareness and close the income tap for the actors.

The crooks have exploited a recent announcement from the actual financial organization about developing a digital exchange that calls people to invest and trade using the new token. Dozens have downloaded the spoofed app, losing an average of $1,500 in fake investments.

The app isn’t available on the Google Play Store, but victims are led to its distribution portals through phishing links, third-party sites, forum posts, social media messages, etc. So far, no mobile AV solutions detect the app as malicious because it doesn’t feature anything suspicious on its code.

The cloned app relies on social engineering and straight-out trickery on the human level, even featuring active customer support to ensure that the “complete package” is presented to the victims.

Upon registration, victims give away their email address, account number, organization code (typo here), and a password that could be used in future stuffing attacks. To add legitimacy to this step as well, the app generates a verification email, which is sent to the user via email address.

Once this step is over, the victim accesses the crypto trade app, which looks pretty legit too. The app fetches price changes from the market, so the token value and the exchange rates are dynamically updated on the app, giving an overly convincing image to the user.

The victim is tricked into adding funds on the app to invest in the token, or BTC, or even ETH. This money shows up on the app’s wallet management page, so the user is getting a sense of control and believes he is the holder, but the real amounts have already been directed straight to actor-controlled wallets.

As Zimperium warns, this campaign is really just the beginning for these actors, as they have noticed them targeting a second bank already. Having the themes and the code and the customer support lines up, nothing is stopping the actors from updating their themes and trying again.

That said, do not trust any apps sourced from outside the Google Play Store. A bank app should always be present on the official Android store. Otherwise, it’s not safe to use, even if it’s the real one.