McAfee’s Mobile Research Team uncovered an active Android malware campaign targeting Bengali-speaking expatriates by impersonating popular financial apps like TapTap Send and AlimaPay to steal personal and financial data. The campaign uses phishing sites and fake Facebook pages for distribution, with a publicly exposed C2 server storing stolen information accessible to anyone. #AndroidFakeApp #TapTapSend #AlimaPay #BangladeshiDiaspora
Keypoints
- The malware campaign targets Bengali-speaking expatriates primarily in Saudi Arabia, UAE, Malaysia, and the UK by impersonating popular remittance apps.
- Distribution occurs via phishing websites written in Bengali and fake Facebook pages mimicking legitimate financial services.
- The fake apps request extensive personal and financial information including photo IDs and payment credentials through multi-step registration flows.
- The collected data is transmitted to a command-and-control (C2) server that has directory listing enabled, making stolen information publicly accessible.
- The malware simulates realistic financial transactions and dashboard interfaces to build user trust and extract sensitive data.
- McAfee detects this threat as Android/FakeApp and highlights the cultural targeting and sustained campaign activity.
- Users are advised to download apps only from trusted sources and use mobile security software to protect against such threats.
MITRE Techniques
- [T1566] Phishing – Used phishing websites and fake Facebook pages to distribute fake financial apps (“phishing websites that mimic trusted remittance services”).
- [T1525] Credentials from Web Browsers – The fake app collects login passwords and PINs within multi-step registration processes (“users are then asked to create a login password and a 5-digit PIN”).
- [T1083] File and Directory Discovery – The exposed C2 server contains a publicly accessible directory listing of stolen photos (“directory listing is enabled, which means anyone can access the uploaded files without authentication”).
- [T1530] Data from Information Repositories – The malware exfiltrates sensitive user information and stores it on the C2 server (“all of this information is sent to the C2 server and stored”).
Indicators of Compromise
- [File Hashes] Android malware samples detected as Android/FakeApp – specific hashes not listed but referenced by McAfee detection.
- [Domains] C2 server domains hosting phishing sites and malware – multiple evolving domains connected to C2 infrastructure (specific domain names not provided).
- [File Names] Photo ID images uploaded by victims – 297 image files publicly accessible on the C2 server.
- [URLs] Phishing website URLs mimicking remittance services – links shared via Facebook pages point to malicious phishing URLs (specific URLs not listed).