Researchers discovered a new Android Malware called “BasBanke” targeting Brazilian users to steals financial related sensitive data such as credentials and credit/debit card numbers.
Malware authors abusing Facebook and WhatsApp social media adverting to trick users into downloading the malware and perform various other attacks includes keystroke logging, screen recording, SMS interception.
Advertising campaign URL either pointed to the official Google Play Store or another website where attackers trick users to malicious APK.
In this case, A malicious app called CleanDroid is one of the widespread malicious apps which is advertising on Facebook and pointed the download link into Google Play store.
Malicious Play Store Apps
Malicious Android apps that hosted in Google play Store posed as
applications with supposed functionality such as a secure QR reader, a fake app for a real travel agency with travel deals, and – implementing a well-known trick – as an application to “see who visited your profile.”
Brazilian financial institutions and other popular websites such as Spotify, YouTube, and Netflix Since the attackers are significantly targeting the banking applications.
According to Kaspersky research, “We have previously found a few malicious campaigns similar to this but with significantly reduced distribution when compared to BasBanke. Another difference is that BasBanke uses Facebook and WhatsApp as a mass distribution vector. ‘
Once they convenience the targeted users, malicious apps collect the
metadata such as the device name, IMEI, and the telephone number and send back to the attacker via c2 server.