Verified Android vendor targets mobile payment systems with web injects

Credential-harvesting web injects targeting mobile banking apps were sold on the dark web.

Cyble Research and Intelligence Labs (CRIL) investigation revealed that threat actor InTheBox has been increasing their stock of web injects compatible with various Android banking malware on their online shop residing on the dark web.

Android web inject is a custom-made module crafted to harvest sensitive information from specific applications.

Injects on the InTheBox shop target retail banking, mobile payment systems, cryptocurrency exchanges, and mobile e-commerce apps. Organizations in Australia, Brazil, India, Indonesia, Japan, Kuwait, Malaysia, Philippines, Qatar, Saudi Arabia, Singapore, Thailand, and the United States, as well as various locations in Europe and Asia, are among the affected.

InTheBox shop offers a wide range of web injects for various banking malware, including Alien, Ermac, Octopus, MetaDroid, Cerberus, and Hydra. The prices of packages with hundreds of injects range from nearly $ 4000 to $ 6,500. The price for individual web injects has been reduced from USD 50 to USD 30 each.

InTheBox has been a verified vendor of Android mobile app web injects since February 2020.

Tor-based Online Shop InTheBox
Tor-based Online Shop InTheBox. Image by Cyble

How does a web inject work?

InTheBox's web injects typically come in a compressed package that includes a PNG-format app icon and an HTML file. The HTML file contains JavaScript code responsible for collecting sensitive information using a malicious overlay interface disguised as the mobile app's input form.

CRIL researchers state that the injection process begins with an overlay interface that asks the infected user to input their mobile banking details, such as user ID, password, and mobile number.

After these credentials are entered, a subsequent overlay interface loads, tricking the user into revealing their credit card number, expiration date, and CVV information, even though a legitimate application may not require any of these inputs.

overlay harvesting credentials
Overlay interface harvesting credentials. Image by Cyble

How to stay safe?

Researchers advise following cybersecurity best practices to prevent attackers from accessing their personal and financial information.

Download and install software only from trusted sources such as official app stores.

  1. Download and install software only from trusted sources such as official app stores.
  2. Invest in licensed anti-virus software and keep it updated at all times.
  3. Be wary of opening any links received via messages or emails from unknown sources on your phone.
  4. Enable Google Play Protect on your Android device to stay protected.
  5. Exercise caution while granting any app permissions.
  6. Keep your devices, operating systems, and applications up-to-date.
  7. Pay close attention to security features provided in the latest software updates, and be wary of any prompts for additional inputs such as payment card details.
  8. If you suspect that your device may have been infected, try performing a factory reset or removing the suspect application.

More from Cybernews:

Cybercrime is world's third largest economy

EU sweep reveals evidence of consumer manipulation

Microsoft hunts threat actors over malvertising

TikTok users invited to share data as part of platform probe

GitHub breach: attackers cloned code signing certificates

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked