Recent research from ThreatFabric shows that malicious actors are using voice phishing (vishing) techniques to trick users into downloading Android malware on their devices. The Dutch mobile security firm claimed to have discovered a network of phishing websites that prey on Italians using online banking to gather their contact information.
The social engineering approach known as telephone-oriented attack delivery (TOAD) includes calling the victims using information that has already been obtained from fraudulent websites. In contrast, the caller who claims to be a bank assistance representative tells the person to install a security program and provide it a lot of rights when, in fact, it is malicious software designed to acquire remote access or commit financial fraud.
In this instance, it results in the installation of Copybara, an Android malware that was initially identified in November 2021 and is mainly used to carry out on-device fraud by targeting Italian consumers. Another malware family called BRATA has been mistaken for Copybara. ThreatFabric determined that TOAD-based efforts started around the same time, indicating the activity has been going on for about a year.
Copybara’s RAT capabilities, like those of other Android-based malware, are supported by exploiting the accessibility services API of the operating system to capture private data and even remove the downloader app to lessen its forensic trace. Additionally, it has been discovered that the threat actor’s infrastructure is being used to distribute the second piece of malware called SMS Spy, which gives the adversary access to all incoming SMS messages and lets them capture one-time passwords (OTPs) supplied by banks.
Scammers can now construct convincing Android malware campaigns without relying on time-tested techniques like Google Play Store droppers, fake advertisements, and smishing, thanks to the recent surge of hybrid fraud attacks. “Such attacks require more resources on [threat actors’] side and are more sophisticated to perform and maintain,” ThreatFabric’s Mobile Threat Intelligence (MTI) team said.
This is not the first time TOAD methods have been used to direct banking malware campaigns. The MalwareHunterTeam described a similar attempt last month to install a data-stealer that looked like a credit card rewards program on India’s Axis Bank subscribers.