The South Korean Fake Banking App Scam
View research paper: The South Korean Fake Banking App Scam
In our continuous threat monitoring, we discovered a group of cybercriminals that targeted and successfully profited from Android™ mobile banking customers in South Korea. The cybercriminals behind the said operations used fake banking apps that sport the same icons and UIs as the official ones they spoof to feign legitimacy. In addition, they also use fake versions of other popular apps, including utilities, chat, portal,and security apps to infect South Korean victims’ devices and steal their mobile banking credentials.
This Trend research paper provides in-depth information on the cybercriminal group behind such operation dubbed as Yanbian Gang.
The use of Fake Apps to steal user information
The Yanbian Gang used fake apps to infect users’ mobile devices. Fake apps and social engineering lures are utilized to trick users into executing the malware on their devices. In our investigation, this group created fake banking apps, which also came in the guise of popular porn apps with lewd icons and names. These fake apps upload stolen user information such as mobile phone numbers, account names and number, and login credentials, to their command-and-control (C&C) servers. Text messages are also stolen and uploaded to these C&C servers. Note that all of the Android malware that the Yanbian Gang used in their attacks were not available for download on Google Play or any third-party app site. They were only distributed through malicious text messages or downloaded by other malware.
Apart from spoofing banking apps, the Yanbian Gang also faked other apps like Google Play and Search, and Adobe® Flash® Player. In our analysis, we looked at a total of 1,007 fake Google app versions, 994 of which were fake versions of the Google Play app while 13 were fake versions of other Google apps. Cybercriminals spoofed Google apps since these usually come preinstalled on every Android mobile device. Lastly, they created a fake app called “The Interview” which spoofed the movie of the same title. When users click on the app's buttons, it downloads the malware on devices and consequently steals user’s mobile banking credentials.
The Yanbian Gang and its Organizational Structure
This cybercriminal group operates from the Yanbian Prefecture in Jilin, China, located north of the North Korean border, thus the name “Yanbian Gang.” And just like any cybercriminal groups that have several members who play specific roles to launch high-impact attacks, the Yanbian Gang comprises of four major players or groups—the organizer, translators, cowboys, and malware creators.
- Organizer: As the ‘founding father,’ his duties include scouting for and recruiting members. All members directly communicate with him thus making him an indispensable member.
- Translators: They localize threats. In this case, the translators used Korean for their specially crafted text messages as well as the malicious file’s user interface (UI).
- Cowboys: They are responsible for collecting the proceeds from successful attacks and giving them to the organizer. They usually reside in the same countries as their intended victims. They also use black or fridge cards, which are bank cards to evade law enforcement. Based on our information, Chinese hackers trade black or fridge cards via QQ Chat groups. Interested buyers can purchase such cards for around US$725 or KRW800,000 each
- Malware creators: The malicious app developers, in this case, are probably the most important members of the gang, as the success of an attack largely depends on how effective their creations are. Hacker groups can be seen publicly recruiting malware co-creators in bulletin board systems (BBSs) or chat groups.
For more details, on how Yanbian Gang conducts their operations, read our Trend Micro research paper, The South Korean Fake Banking App Scam.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.