Banking Trojans Masquerading as Government and Payment Apps Target Android Users in Southeast Asia

Since August 2024, a financially motivated threat group has been targeting Indonesian and Vietnamese Android users with banking trojans cleverly disguised as government ID and payment apps. The campaign was uncovered by DomainTools researchers, who warn that the operators employ sophisticated evasion techniques and distinct infrastructure patterns to bypass security defenses.

According to the report, “a group has been targeting Indonesian and Vietnamese Android users with banking trojans disguised as legitimate payment and government identity applications. The operators exhibit distinct domain registration patterns, often reusing TLS certificates and grouping domains to resolve to the same IP addresses, with a strong operational focus during Eastern Asia’s daytime hours.”

One of the most notable tactics is the use of spoofed Google Play Store pages that mimic legitimate download portals. However, instead of hosting APK files directly, attackers employ an unusual WebSocket-based download mechanism.

The researchers explain, “instead of linking directly to a file download, when a user clicks the Android button, it initiates a WebSocket connection… the server responds by sending the .apk file back to the browser in many small chunks.”

This chunked delivery, complete with a fake progress bar, tricks the user while evading firewalls and automated scanners that look for static APK download URLs.

The payloads delivered through these spoofed stores include variants of BankBot, a notorious banking trojan whose leaked source code has spawned countless derivatives since 2016.

One observed sample, IdentitasKependudukanDigital.apk, was flagged as “BankBot.Remo.1.origin, a previously closed source banking trojan that had its source code leaked on Russian-language forums in 2016.”

BankBot variants enable attackers to:

• Steal banking and payment credentials.
• Overlay fake login screens on legitimate apps.
• Intercept SMS for two-factor authentication bypass.

The group relies on hundreds of domains tied together through a consistent infrastructure footprint:

• Registrar: Gname.com Pte. Ltd.
• Nameservers: share-dns[.]net and Cloudflare
• ISP hosting: Alibaba and Scloud (with Singapore and Indonesia IPs)

The report notes, “the most prolific registration patterns were the use of Alibaba ISP, Gname Registrar, and share-dns[.]net nameservers.”

Heatmap analysis shows domains being registered and operationalized within about 10.5 hours, primarily during working hours in Eastern Asia—further suggesting the operators are based in the region.

While some delivery mechanisms are advanced, the group also uses open web directories to host APKs under banking app names such as BCA.apk, BRImo.apk, and Livin.apk.

In other cases, unsophisticated coding mistakes betray their methods. One spoofed site, imitating the Indonesian tax app M-Pajak, contained a mix of Thai, Vietnamese, Portuguese, and Indonesian language strings, revealing the use of clumsy template files.

Related Posts:

• Indonesia: If data leaks and fake news are found, Facebook will be blocked
• A new bank Trojan, BankBot Anubis was found PhishLabs
• Beyond the Ransom: Inside the Mind of Brain Cipher Ransomware Group
• Palo Alto Networks’ Unit 42 Reveals a New Cyber Threat in China: Financial Fraud APKs
• The author of Exobot Bank Trojans sell the source code