Keypoints
- Attackers distribute a malicious APK (eCart, org.ecrt.cr) via multiple phishing e-shop websites that present fake app download buttons.
- The APK requests Accessibility permission, changes the default SMS app, and uses broadcast receivers to intercept SMS messages for credential theft.
- New capability: screen-sharing via the Janus WebRTC plugin, with a remote WebRTC server at hxxps://jimmyserv[.]online used to stream device screens and host an admin panel.
- The malware communicates with a C2 server at hxxps://superbunapp[.]com for configuration, product data, and exfiltration of stolen credentials (including FPX payment credentials for 18 Malaysian banks).
- Code obfuscation is applied using the open-source “Paranoid” string obfuscator to hinder analysis and reverse engineering.
- The app generates random session IDs and passwords for remote connections and can perform automated gestures (input injection) via an Accessibility service class (GestureDispatchService) driven by Janus-provided commands.
- Multiple phishing domains (e.g., worldshopping-global[.]com, ecart-global[.]com) are in use, with several APK and file hashes observed across the campaign.
MITRE Techniques
- [T1660] Phishing – Malware distribution via phishing sites; ‘Malware distribution via phishing site’
- [T1624.001] Event Triggered Execution: Broadcast Receivers – Registers broadcast receivers to intercept incoming SMS messages and trigger theft; ‘The malware registered broadcast receivers to steal incoming SMS’
- [T1516] Input Injection – Uses Accessibility service to perform automated clicks, gestures, and input received from the Janus plugin; ‘Malware can mimic user interaction, perform clicks and various gestures, and input data’
- [T1513] Screen Capture – Implements screen-sharing using the Janus WebRTC plugin to stream device screens to a remote server; ‘Malware can capture screen content using the Janus WebRTC plugin’
- [T1636.004] Protected User Data: SMS Messages – Steals SMS messages from the infected device after changing the default SMS app; ‘Steals SMSs from the infected device’
- [T1646] Exfiltration Over C2 Channel – Sends harvested credentials and logs to C2 servers (superbunapp[.]com / jimmyserv[.]online) for remote use; ‘Sending exfiltrated data over C&C server’
Indicators of Compromise
- [APK metadata] Malicious Android app – Package org.ecrt.cr (App Name: eCart), SHA256 776f98f55e19b5b3f79124415796511703c96633505d6a1cae4614e9a1a70163
- [SHA256/SHA1/MD5] Malicious sample hashes – cc3ca9738777afa55bbf0aa340cb41a6f547c50e9a19b6ff0ab498243033104d, 51c9f273670a0a454119e1bb772986b230fa0133, and 2 more hashes
- [C2/WebRTC domains] Remote control and screen-sharing servers – hxxps://superbunapp[.]com (C2), hxxps://jimmyserv[.]online (Janus WebRTC / admin panel)
- [Phishing URLs] Distribution and phishing sites – hxxps://www[.]worldshopping-global[.]com, hxxps://ecart-global[.]com, and several other shopcenter-/myshopping- themed domains
The technical infection chain begins with social engineering (fake cleaning-service or e-shop posts) directing victims to phishing sites that host a malicious APK (eCart, package org.ecrt.cr). Once installed, the app requests Accessibility permission, prompts users to change the default SMS app to itself, and asks for screen-capture consent; these permissions enable SMS interception via registered broadcast receivers and allow the GestureDispatchService to receive remote commands for automated gestures and UI interaction.
For remote access and data exfiltration, the malware contacts a C2 at hxxps://superbunapp[.]com to report permission and connectivity status and to fetch fake shop/product data; when screen-sharing is enabled it connects to hxxps://jimmyserv[.]online to configure a Janus WebRTC session, generate an 8-digit session ID and 4-digit password, and stream screen content to the attacker’s admin panel. The Janus plugin supplies gesture/input commands used by the Accessibility service to perform clicks and text entry, while Paranoid string obfuscation hides meaningful strings and complicates analysis.
The phishing flow within the app displays login/FPX payment pages tailored per targeted bank to collect credentials, which the malware forwards to the C2 channel; captured SMS messages, FPX credentials, and other harvested data are sent to the remote servers for attacker access. Observed technical indicators include multiple phishing domains (e.g., worldshopping-global[.]com, ecart-global[.]com), C2/WebRTC hosts (superbunapp[.]com, jimmyserv[.]online), and several malicious file hashes linked to the campaign.
Read more: https://cyble.com/blog/elevating-the-stakes-the-enhanced-arsenal-of-the-fake-e-shop-campaign/