Banking Trojans Targeting Android Users Disguise as Government and Trusted Payment Apps

Since August 2024, a financially motivated threat group has been targeting Android users in Indonesia and Vietnam with banking trojans disguised as official government identity and payment applications.

By employing elaborate download mechanisms, reusing infrastructure, and leveraging template-based spoofed sites, the operators have used a coordinated campaign to evade detection and steal user credentials.

The campaign was first uncovered when researchers noticed suspicious HTML elements on spoofed Google Play Store pages, including strings like “VfPpkd-jY41G-V67aGc” that indicated cloned storefronts.

One domain, icrossingappxyz[.]com, presented fake “Download on Google Play” and “Download on App Store” buttons.

The Apple link was nonfunctional, while clicking the Android button initiated an on-page progress bar powered by a Socket.IO wrapper—highly unusual for legitimate download pages.

Behind the scenes, the page opened a WebSocket connection. On “startDownload,” the server streamed the .apk file in multiple chunks via socket.emit and socket.on events.

As each chunk arrived, JavaScript updated the progress bar, simulating a native download process. Upon “downloadComplete,” the script concatenated all chunks, created a blob URL with MIME type application/vnd.android.package-archive, generated an invisible anchor element, and programmatically clicked it to trigger the browser’s file-download prompt.

This method bypassed network security filters that block direct .apk links and evaded automated scanners looking for static malicious URLs.

When users finally received the file—often named IdentitasKependudukanDigital.apk—they saw standard download warnings.

Analysis revealed the payload as a variant of BankBot.Remo, a trojan whose leaked source code in 2016 spawned numerous offshoots.

Template-Based Spoofed Apps

Alongside the sophisticated WebSocket delivery, operators deployed simpler spoofed sites imitating popular regional apps, such as an M-Pajak tax-payment clone hosted on twmlwcs[.]cc.

This site used direct download links to M-Pajak.apk, whose SHA-256 hash (e9d3f6211d4ebbe0c5c564b234903fbf5a0dd3f531b518e13ef0dcc8bedc4a6d) identified another BankBot loader.

The HTML contained a mix of Thai, Vietnamese, Portuguese, and Indonesian language strings, indicating a generic template reused without localization logic—evidence of less sophisticated sub-operators.

Further variants were stored in open directory listings on domains like dgpyynxzb[.]com and ykkadm[.]icu.

These indexes revealed dozens of APKs masquerading as legitimate banking apps—BCA.apk, Livin.apk, OCBCmobileid_02202025AC.apk, and many more—each with unique SHA-256 hashes but all loading BankBot variants configured to contact C2 domains such as saping.ynhqhu[.]com and admin.congdichvucongdancuquocgia[.]cc.

Operational Patterns Reveal Regional Focus

Over the past year, researchers identified more than 100 domains linked to this campaign. Analysis of DNS and registration metadata showed a consistent footprint: most domains used Alibaba ISP, Gname.com Pte. Ltd. as registrar, and share-dns[.]net or Cloudflare nameservers.

TLS certificates were frequently reused across pairs of domains, and multiple domains resolved to the same IP addresses spread across Singapore and Indonesia, hinting at clustered hosting infrastructure.

Temporal analysis of domain registration and first-seen DNS queries produced nearly identical heatmaps, with an average 10.5-hour lag between registration and active resolution.

Both activities peaked during Eastern Asia daytime hours (UTC+7 to UTC+9), aligning with the operators’ focus on Indonesian and Vietnamese victims and suggesting the group’s local or regional presence.

This campaign underscores how threat actors combine advanced obfuscation techniques—WebSocket-based chunked downloads—and mass-template spoofing to bypass security controls and trick users into sideloading malware.

Despite these tactics, modern browsers’ download warnings provide critical detection; however, end users must remain vigilant.

The campaign’s consistent use of Alibaba ISP, Gname registrar, and share-dns[.]net nameservers offers defenders distinct indicators of compromise.

Organizations should block known C2 domains, monitor unusual WebSocket traffic on public-facing sites, and educate users on verifying official app sources to mitigate the risk posed by these banking trojans.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.