Since August 2024, a financially motivated threat group has been actively targeting Android users in Indonesia and Vietnam, deploying banking trojans disguised as legitimate government identity and payment applications. This coordinated campaign employs intricate download mechanisms, reuses existing infrastructure, and utilizes template-based spoofed sites to evade detection while stealing user credentials.
Researchers first uncovered this campaign when they detected suspicious HTML elements on counterfeit Google Play Store pages. Strings such as “VfPpkd-jY41G-V67aGc” indicated the presence of cloned storefronts. One notable domain, icrossingappxyz[.]com, featured deceptive “Download on Google Play” and “Download on App Store” buttons. While the Apple link proved nonfunctional, clicking the Android button initiated an unusual on-page progress bar powered by a Socket.IO wrapper, a method not typically seen on legitimate download pages.
Behind the scenes, the page established a WebSocket connection. Upon the “startDownload” command, the server streamed the .apk file in multiple chunks using socket.emit and socket.on events. As each chunk arrived, JavaScript updated the progress bar, mimicking a native download process. Once the “downloadComplete” event triggered, the script concatenated all chunks, created a blob URL with the MIME type application/vnd.android.package-archive, and programmatically clicked an invisible anchor element to prompt the browser’s file-download dialog. This sophisticated method effectively bypassed network security filters that typically block direct .apk links, evading automated scanners that search for static malicious URLs.
When users finally received the file, often named IdentitasKependudukanDigital.apk, they encountered standard download warnings. Further analysis revealed the payload as a variant of BankBot.Remo, a trojan whose leaked source code in 2016 led to numerous offshoots.
Template-Based Spoofed Apps
In addition to the advanced WebSocket delivery method, operators also deployed simpler spoofed sites that imitated popular regional applications. For instance, a clone of the M-Pajak tax-payment app was hosted on twmlwcs[.]cc. This site utilized direct download links to M-Pajak.apk, which was identified as another BankBot loader through its SHA-256 hash (e9d3f6211d4ebbe0c5c564b234903fbf5a0dd3f531b518e13ef0dcc8bedc4a6d). The HTML of this site contained a mix of Thai, Vietnamese, Portuguese, and Indonesian language strings, suggesting a generic template was reused without proper localization—indicative of less sophisticated sub-operators.
Additional variants were found in open directory listings on domains like dgpyynxzb[.]com and ykkadm[.]icu. These indexes revealed numerous APKs masquerading as legitimate banking applications, including BCA.apk, Livin.apk, and OCBCmobileid_02202025AC.apk. Each APK had unique SHA-256 hashes but all loaded BankBot variants configured to contact command and control (C2) domains such as saping.ynhqhu[.]com and admin.congdichvucongdancuquocgia[.]cc.
Operational Patterns Reveal Regional Focus
Over the past year, researchers have identified more than 100 domains associated with this campaign. An analysis of DNS and registration metadata revealed a consistent operational footprint: most domains utilized Alibaba ISP, with Gname.com Pte. Ltd. serving as the registrar, and nameservers from share-dns[.]net or Cloudflare. The frequent reuse of TLS certificates across pairs of domains, along with multiple domains resolving to the same IP addresses located in Singapore and Indonesia, suggests a clustered hosting infrastructure.
Temporal analysis of domain registration and first-seen DNS queries produced nearly identical heatmaps, revealing an average lag of 10.5 hours between registration and active resolution. Both activities peaked during Eastern Asia daytime hours (UTC+7 to UTC+9), aligning with the operators’ focus on Indonesian and Vietnamese victims, indicating a likely local or regional presence.
This campaign exemplifies how threat actors combine advanced obfuscation techniques, such as WebSocket-based chunked downloads, with mass-template spoofing to circumvent security controls and deceive users into sideloading malware. Despite these tactics, modern browsers’ download warnings remain a critical detection mechanism; however, end users must exercise vigilance. The campaign’s consistent use of Alibaba ISP, Gname registrar, and share-dns[.]net nameservers provides defenders with distinct indicators of compromise. Organizations are advised to block known C2 domains, monitor unusual WebSocket traffic on public-facing sites, and educate users on verifying official app sources to mitigate the risks posed by these banking trojans.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
