payment app

Since August 2024, a financially motivated threat group has targeted Android users in Indonesia and Vietnam by deploying banking trojans disguised as legitimate government identity and payment applications. The campaign utilizes intricate download mechanisms, reuses existing infrastructure, and employs template-based spoofed sites to evade detection while stealing user credentials. Researchers identified the campaign through suspicious HTML elements on counterfeit Google Play Store pages, with notable domains like icrossingappxyz[.]com featuring deceptive download buttons. The download process involved a WebSocket connection that streamed the .apk file in chunks, effectively bypassing network security filters. The downloaded file, often named IdentitasKependudukanDigital.apk, contained a variant of the BankBot.Remo trojan. Additionally, simpler spoofed sites imitated popular regional applications, such as a clone of the M-Pajak tax-payment app hosted on twmlwcs[.]cc, which was also identified as a BankBot loader. Other variants were found on domains like dgpyynxzb[.]com and ykkadm[.]icu, masquerading as legitimate banking applications. Over the past year, researchers identified over 100 domains associated with this campaign, primarily utilizing Alibaba ISP and registered through Gname.com Pte. Ltd. The operational patterns revealed a focus on Indonesian and Vietnamese victims, with domain registration and DNS queries peaking during Eastern Asia daytime hours. The campaign combines advanced obfuscation techniques with mass-template spoofing to circumvent security controls, highlighting the need for user vigilance and monitoring of unusual WebSocket traffic.