A financially motivated cybercrime group has been actively targeting Android users in Indonesia and Vietnam over the past year, deploying sophisticated banking trojans disguised as legitimate government identity and payment applications. This operation has involved a clever spoofing of Google Play Store and App Store interfaces, allowing the group to deliver malicious APKs through obfuscated WebSocket connections, thereby evading traditional network security measures and automated scanners.
Analysis of over 100 malicious domains reveals a consistent pattern in their operations, notably the use of Alibaba ISP, Gname.com for domain registration, and share-dns.net nameservers. Interestingly, these domain registrations transition to active DNS resolutions at a rapid pace, often within a mere 10.5 hours during peak daytime hours in Eastern Asia.
Sophisticated WebSocket-Based Delivery
The hallmark of this group’s delivery mechanism lies in its use of the Socket.IO library, which facilitates real-time, bidirectional WebSocket connections instead of relying on straightforward HTTP downloads. For instance, on sites like icrossingappxyz[.]com, users encounter fake download buttons for Google Play and App Store. When the Android icon is clicked, it triggers a socket.emit('startDownload',…) event, prompting the server to stream the malicious APK in small chunks via socket.on('chunk',…) handlers. Throughout this process, an on-page progress bar is updated using downloadProgress messages.
Upon completion of the download, the script aggregates the chunks in memory, sets the MIME type to application/vnd.android.package-archive, and programmatically initiates a hidden anchor element to prompt the user’s download dialog. This innovative method effectively circumvents firewalls that are configured to block direct .apk URLs and thwarts static crawlers that scan for malicious links.
The downloaded file, often named IdentitasKependudukanDigital.apk (SHA-256: 1f9253092c5a2abdb7bc3d93fccad85f23ce5bfde38377c792a242f045afcdb5), installs a variant of the BankBot trojan family, which was first leaked in 2016. While some browsers may detect the unusual download and issue security warnings, many users proceed without realizing the malware’s true nature. In contrast, simpler spoofed sites like twmlwcs[.]cc host M-Pajak.apk (SHA-256: e9d3f6211d4ebbe0c5c564b234903fbf5a0dd3f531b518e13ef0dcc8bedc4a6d), offering direct download links that often feature mixed Thai, Vietnamese, Portuguese, and Indonesian code strings, indicating the use of multilingual templates by less sophisticated actors.
Domain registration data from August 2024 to September 2025 reveals distinctive operational behaviors among these threat actors. They frequently reuse TLS certificates across pairs of domains and cluster numerous spoofed sites on identical IP addresses, predominantly hosted via Alibaba and Scloud. These domains, registered through Gname.com Pte. Ltd. and utilizing share-dns alongside Cloudflare nameservers, often share the server title “Identitas Kependudukan Digital – Apps on Google Play” and operate on Nginx.
First-seen DNS queries closely mirror domain registration times, typically exhibiting an average lag of 10.5 hours, indicating a rapid deployment strategy. Open directory listings on domains such as dgpyynxzb[.]com and ykkadm[.]ICU host multiple APK variants ranging from BRI-JR to OCBCmobileid, with each file accompanied by its SHA-256 hash.
Infections are designed to communicate with command and control (C2) domains like saping.ynhqhu[.]com and admin.congdichvucongdancuquocgia[.]cc, further emphasizing a well-coordinated infrastructure. This campaign underscores the critical need for behavioral detection and real-time traffic inspection to identify anomalous WebSocket file transfers. While end-user warnings remain an essential defense layer, network defenders must enhance their monitoring of TLS certificates, DNS registration patterns, and IP clustering to effectively disrupt these malicious operations.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
