Fake Bahrain Government Android App Steals Personal Data for Financial Fraud

MITRE Techniques

• [T1566.001] Phishing – The adversary used phishing to distribute the fake apps. Phishing pages were created on Facebook and linked to phishing sites. “The adversary used phishing to distribute the fake apps. Phishing pages were created on Facebook and linked to phishing sites.”
• [T1071.001] Application Layer Protocol: Web Protocols – The fake apps communicate with a C2 server using web protocols; user data is transmitted to the attacker’s server via HTTP/HTTPS. “The fake apps communicate with a Command and Control (C2) server using web protocols. User data entered into the app is transmitted to the attacker’s server via HTTP or HTTPS requests.”
• [T1056.001] Input Capture: Keylogging – The malware captures input data (CPR numbers, phone numbers) entered by users and sends it to the C2. “The malware captures input data, including personal information like CPR numbers and phone numbers, which are entered by users in the fake app interfaces.”
• [T1059.007] Command and Scripting Interpreter: JavaScript – The fake app uses JavaScript within its webview to load phishing URLs from Firebase. “The fake app uses JavaScript within its webview to dynamically load phishing URLs from Firebase.”
• [T1110.003] Brute Force: Credential Stuffing – The app requests sensitive information (CPR numbers, phone numbers) which can be used in credential stuffing attacks. “The fake app requests sensitive information such as CPR numbers and phone numbers, which can be used in credential stuffing attacks to access various user accounts and financial information.”
• [T1071.004] Application Layer Protocol: DNS – The malware may use DNS to resolve C2 domain names, enabling communication with attacker infrastructure. “The malware may use DNS to resolve the domain names of its C2 servers, allowing it to communicate with the attacker’s infrastructure.”
• [T1112] Modify Registry – The malware could modify device registry/configuration to maintain persistence after reboot. “The malware could potentially modify the registry or configuration settings on the infected device to maintain persistence and ensure the app continues running after a reboot.”
• [T1027] Obfuscated Files or Information – The app may obfuscate code and use legitimate services like Firebase to hide malicious activity. “The app may use obfuscation techniques to hide its malicious code and evade detection by security software. This includes using legitimate services like Firebase to obscure the malicious activity.”
• [T1005] Data from Local System – The malware collects data from the device (including SMS) for exfiltration. “The malware collects data from the infected device, including SMS messages and other personal information, which is then exfiltrated to the attacker’s server.”
• [T1052.001] Exfiltration Over C2 Channel – Stolen data is exfiltrated via the same channel used to interact with the UI. “The stolen data is exfiltrated to the attacker’s C2 server using the same communication channel that the app uses to interact with the user interface.”
• [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – The malware may clear logs to avoid detection. “The malware may attempt to clear logs or other indicators on the infected device to cover its tracks and avoid detection by the user or security software.”