In our continuous threat monitoring, we discovered a group of cybercriminals that targeted and successfully profited from Android™ mobile banking customers in South Korea. The cybercriminals behind the said operations used fake banking apps that sport the same icons and UIs as the official ones they spoof to feign legitimacy. In addition, they also use fake versions of other popular apps, including utilities, chat, portal,and security apps to infect South Korean victims’ devices and steal their mobile banking credentials.
This Trend research paper provides in-depth information on the cybercriminal group behind such operation dubbed as Yanbian Gang.
The use of Fake Apps to steal user information
The Yanbian Gang used fake apps to infect users’ mobile devices. Fake apps and social engineering lures are utilized to trick users into executing the malware on their devices. In our investigation, this group created fake banking apps, which also came in the guise of popular porn apps with lewd icons and names. These fake apps upload stolen user information such as mobile phone numbers, account names and number, and login credentials, to their command-and-control (C&C) servers. Text messages are also stolen and uploaded to these C&C servers. Note that all of the Android malware that the Yanbian Gang used in their attacks were not available for download on Google Play or any third-party app site. They were only distributed through malicious text messages or downloaded by other malware.
Apart from spoofing banking apps, the Yanbian Gang also faked other apps like Google Play and Search, and Adobe® Flash® Player. In our analysis, we looked at a total of 1,007 fake Google app versions, 994 of which were fake versions of the Google Play app while 13 were fake versions of other Google apps. Cybercriminals spoofed Google apps since these usually come preinstalled on every Android mobile device. Lastly, they created a fake app called “The Interview” which spoofed the movie of the same title. When users click on the app's buttons, it downloads the malware on devices and consequently steals user’s mobile banking credentials.
The Yanbian Gang and its Organizational Structure
This cybercriminal group operates from the Yanbian Prefecture in Jilin, China, located north of the North Korean border, thus the name “Yanbian Gang.” And just like any cybercriminal groups that have several members who play specific roles to launch high-impact attacks, the Yanbian Gang comprises of four major players or groups—the organizer, translators, cowboys, and malware creators.
For more details, on how Yanbian Gang conducts their operations, read our Trend Micro research paper, The South Korean Fake Banking App Scam.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.