Finding a good job is difficult. This is why cybercriminals use job recruitment offers to trick people into downloading malicious Android mobile applications pretending to be job application software. Zimperium’s zLabs uncovered a new variant of the Antidot banking trojan that they named AppLite Banker. This sophisticated mobile-targeted phishing campaign purports to be a message from a known company’s recruiter but it ultimately is designed to have the user download a trojan app that will steal banking credentials from the unsuspecting victim.
Mechanics of the AppLite Campaign
The AppLite campaign, which is not attributed to any specific threat actor, is based on the reality that the vast majority of people are using mobile devices to apply for jobs. For the past few years, Appcast has reported that nearly two-thirds of job applications have been submitted from a mobile device. The phishing attempt begins with a fraudulent email, skillfully crafted to appear as an authentic job inquiry from a well-known organization. Jason Soroko, Senior Fellow at Sectigo, says that this “new wave of cyber scams underscores the evolving tactics used by cybercriminals to exploit job seekers who are motivated to make a prospective employer happy. By capitalizing on individuals’ trust in legitimate-looking job offers, attackers can infect mobile devices with sophisticated malware that targets financial data.”
Following the hook, the mobile user is directed to a website to continue the application process and to download an application that appears legitimate. With the installation of the malicious file dropper, the attacker can now download the specific payload. In this case, AppLite Banker.
AppLite Banker Trojan: A Deep Dive
The AppLite banker trojan is a new variant of the Antidot banking trojan. This version, like most Android trojans, is designed to steal user credentials and relay the information back to a command-and-control (C&C) server. When a user opens a targeted application, the malware requests a convincing server-controlled fake login form that allows for the harvesting of login credentials. The zLabs team identified 172 targeted applications, including financial and social media platforms, that can be mimicked by this malware.
The unique capability of AppLite is it is designed to interact with the device’s lock screen. It can steal a device’s unlock pattern, PIN, or password. This enables the malware to unlock the device without requiring any user interaction. The attackers, utilizing the C&C server, can download software and upload data when the device is idle. It also has better obfuscation techniques than its predecessor.
AppLite, according to Stephen Kowski, Field CTO at SlashNext, is an example of a trend from threat actors to deploy sophisticated mobile banking trojans that can easily steal credentials and compromise personal data. Cybercriminals are evolving and adapting to exploit new attack surfaces.
Indicators of compromise (IoCs) and the mapping of the malware against the MITRE ATT&CK have been compiled by Zimperium to provide cybersecurity teams with details on how to detect and address AppLite.
Dangers and Defenses
The ability to stealthily steal login credentials, especially for banking applications, makes AppLite a very dangerous piece of malware. Once the device is infected, it can cause considerable damage to the victim and the company that is being spoofed. The theft of financial login information can lead to fraudulent transactions and monetary theft. The financial organization targeted by AppLite suffers from the loss of customer trust, and negative media coverage could result in customer loss. The organization also needs to manage incident response and support customers.
AppLite targets mobile devices because it has a much higher chance of success. Kowski explains that users are four times more likely to click on malicious emails when using mobile devices compared to desktops. He also states that the click rate on malicious emails is higher during the late night hours or very early in the morning when people are less vigilant. Attackers are aware of this and time their email dumps to exploit this.
There are technical and non-technical actions people and organizations can take to defend themselves against AppLite. On the technology side, devices should be updated regularly, have mobile antivirus and endpoint security tools, utilize two-factor authentication (2FA), and perform email filtering to block phishing emails.
For advanced protection, organizations should turn to Mobile Threat Defense (MTD) tools. These dedicated mobile security tools detect, prevent, and remediate sophisticated mobile cyberattacks. They use a variety of techniques at the device, network, and application level, allowing for real-time visibility and response to threats. Protection against AppLite’s capabilities can be addressed with Runtime Application Self-protection (RASP). RASP is built into or linked to an application which can control application execution. One feature of RASP products is they can safeguard against the stealing of account credentials on end-user devices.
The human side of security requires awareness and vigilance. The co-founder and CEO at Hoxhunt, Mike Aalto, suggests that organizations need to tackle the growing sophistication of mobile phishing attacks with a Human Risk Management (HRM) platform: “HRM platforms offer greater visibility into threats bypassing technical filters by leveraging human threat intelligence to enhance incident response. When a new attack is reported by an employee, the HRM platform learns to automatically find future similar attacks. By integrating HRM, organizations can create a more resilient security culture where users become active defenders against mobile phishing attacks/smishing.”
Staying Safe in a Digitally Connected World
There are considerable dangers on the web, with AppLink being just one example. However, it is possible to stay safe online. Jason Soroko reminds us that much of it requires individuals to remain vigilant about any unsolicited offers, including job offers, and to always verify the legitimacy of links before clicking on the link. Organizations can also support users with public awareness campaigns and by deploying security features such as 2FA, MTD, and RASP.
It is up to everyone to remain vigilant to the threats around us and this requires knowledge. Researchers, such as those at Zimperium’s zLabs, provide the details of the threats that allow people to understand and detect the active threats to our online safety.
