user warnings

A financially motivated cybercrime group has been targeting Android users in Indonesia and Vietnam by deploying banking trojans disguised as legitimate government applications. They spoof Google Play Store and App Store interfaces to deliver malicious APKs through obfuscated WebSocket connections, evading traditional security measures. Analysis of over 100 malicious domains shows they use Alibaba ISP, Gname.com for domain registration, and share-dns.net nameservers, with rapid DNS resolutions occurring within about 10.5 hours during peak daytime hours in Eastern Asia. The group's delivery mechanism utilizes the Socket.IO library for real-time WebSocket connections, allowing them to stream malicious APKs in small chunks. The downloaded file, often named IdentitasKependudukanDigital.apk, installs a variant of the BankBot trojan family. Some simpler spoofed sites offer direct download links with mixed language code strings, indicating the use of multilingual templates. Domain registration data from August 2024 to September 2025 shows these threat actors frequently reuse TLS certificates and cluster spoofed sites on identical IP addresses, primarily hosted via Alibaba and Scloud. These domains share server titles and operate on Nginx, with first-seen DNS queries typically lagging 10.5 hours behind registration times. Infections communicate with command and control domains, highlighting a coordinated infrastructure. The campaign emphasizes the need for behavioral detection and real-time traffic inspection to identify anomalous WebSocket file transfers.