A sophisticated phishing campaign distributing a newly identified malware variant called AppLite Banker has been uncovered.
Security researchers from Zimperium’s zLabs identified the malware as an updated version of the Antidot banking Trojan.
The campaign, which primarily targets Android devices, employs advanced social engineering techniques to steal credentials and compromise devices used for both personal and corporate purposes.
Key Tactics Used in the Campaign
“This latest mobile-targeted phishing campaign represents a sophisticated evolution of techniques first seen in Operation Dream Job, now adapted for the mobile era,” commented Stephen Kowski, field CTO at SlashNext.
“While the original Operation Dream Job used LinkedIn messages and malicious attachments to target job seekers in the defense and aerospace sectors, today’s attacks have expanded to exploit mobile vulnerabilities through fraudulent job application pages and banking Trojans.”
In fact, the AppLite Banker attackers pose as recruiters or HR representatives from well-known companies to deceive victims. Phishing emails designed to mimic legitimate job offers direct users to fake landing pages. These sites then trick users into downloading a fraudulent CRM application, which serves as a dropper to install the AppLite malware.
Once installed, the malware enables a range of malicious activities:
-
Credential theft targeting banking, cryptocurrency and financial apps
-
Abuse of Accessibility Services for screen overlays and self-permissions
-
Remote control via Virtual Network Computing (VNC)
-
Use of deceptive overlays to harvest user credentials
Zimperium researchers found that the malware targets 172 applications, including financial platforms and crypto wallets, and employs advanced tools to manipulate device functionality and intercept sensitive information.
To bypass detection, AppLite uses ZIP file manipulation to confuse security tools and embeds malicious scripts into HTML overlays. These methods allow it to remain undetected by many conventional analysis tools.
Read more about cybersecurity challenges in the financial sector: APP Fraud Singled Out as Biggest Financial Crime Threat
The malware’s reach extends to users proficient in English, Spanish, French, German, Italian, Portuguese and Russian, with a focus on regions where targeted apps are popular. Its ability to steal lock screen credentials and automate screen unlocking is particularly concerning, granting attackers near-total control of infected devices.
Mitigating the Threat
Security researchers highlighted the importance of proactive defenses to detect and neutralize zero-day threats such as this.
“As mobile devices have become essential to business operations, securing them is crucial, especially to protect against the large variety of different types of phishing attacks, including these sophisticated mobile-targeted phishing attempts,” explained Patrick Tiquet, vice president of security & architecture at Keeper Security.
“Organizations should implement robust Mobile Device Management (MDM) policies, ensuring that both corporate-issued and BYOD devices comply with security standards. Regular updates to both devices and security software will ensure that vulnerabilities are promptly patched – safeguarding against known threats that target mobile users.”
Update, a Google spokesperson sent the follow statement to Infosecurity on December 13.
“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said.