Zimperium reports a large-scale campaign targeting users of Iranian mobile banking applications. The campaign was initially discovered in July 2023 when Zimperium identified approximately 40 applications impersonating high-profile local banks, including Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran.
Most of these applications appear to have been shared over a popular Iranian marketplace named "Cafe Bazaar."
As of November 28, 2023, Zimperium has shared that the threat remains active and is undergoing further development. Currently, 245 malicious applications have been identified, with 28 of them successfully evading detection, according to the Zimperium report. While the campaign primarily targets Android users, there is potential for replication on iOS as well.
The primary objective of the campaign appears to be information theft for financial gain. The attacker utilizes accessibility services to overlay screens, allowing them to harvest credentials and credit card details that, once logged, were exfiltrated to two Telegram channels.
The campaign demonstrates a high level of sophistication, employing vendor-specific techniques. For example, Zimperium reports that code analysis indicates the attackers customized the application code to operate in ways specific to Xiaomi and Samsung builds. This customization enhances the effectiveness of the accessibility service abuse within the targeted environment where the malware operates. The sophistication level was also apparent in the phishing sites that were created to support the campaign.