Customers of eight Malaysian banks have had their online banking credentials stolen via a bogus Android app posing as a housekeeping service.
Initially noticed by MalwareHunterTeam last week and later analyzed by security experts at Cyblis, this application is promoted via numerous bogus or copied websites and social media accounts in order to advertise the malicious APK ‘Cleaning Service Malaysia.’
When users install the application, they are asked to approve at least 24 permissions, including ‘RECEIVE SMS,’ which is unsafe because it allows the app to keep track and see all SMS texts received on the mobile.
This permission is being exploited to read SMS messages in order to collect one-time passwords and multi-factor authentication credentials used in e-banking applications, which are subsequently transferred to the cybercriminal’s server.
