“Mamont” Android Banking Trojan Disguised as Parcel Tracking App Targets Thousands in Russia

Kaspersky Labs has uncovered a distribution campaign for the “Mamont” Android banking Trojan, a sophisticated piece of malware exploiting unsuspecting victims under the guise of parcel tracking applications. With over 31,000 attacks blocked in October and November 2024 alone, this campaign has emerged as a significant threat to Android users in Russia.

The report details two key tactics used by attackers:

1. Photo Identification Scam: Victims receive an instant message from an unknown sender, asking them to identify a person in a photo. However, the “photo” is a malicious installer that deploys the Mamont Trojan.
2. Parcel Tracking Deception: In a more elaborate ploy, scammers offer household appliances for free, claiming the items are part of a promotional campaign. Victims are lured into downloading a supposed parcel tracking app, which, instead of tracking packages, installs the Mamont Trojan.

“We have to give it to the operators: the scam was quite convincing. The private channel was full of users asking questions, no prepayment was necessary, and the ‘shipping’ took a credible length of time,” Kaspersky researchers noted.

Once installed, the Mamont Trojan requests permissions to access push notifications, SMS, and calls. It also sends device information to the attackers’ command-and-control (C2) server for victim identification. Among its malicious features are:

• Hijacking Notifications: Redirects push notifications to the attacker’s server.
• Command Execution: Executes commands like sending SMS messages, hiding app icons, and collecting sensitive information such as login credentials.
• Social Engineering Features: Customizable text boxes and image upload windows designed to trick victims into providing sensitive data.

According to Kaspersky, “The ‘custom’ and ‘photo’ commands, designed to trick the user into giving away data, call for special attention. […] the attackers do this to harvest data for further social engineering scams like posing as law enforcement or a regulatory agency to trick users into sending money.”

The Mamont Android banking Trojan exclusively targets Android users in Russia, making both individual users and businesses vulnerable. As Kaspersky Security Network data shows, the malware’s convincing approach combines bulk-priced offers and phishing links to gain the victim’s trust.

“The attackers lure victims with bulk-priced offers, spreading malware disguised as parcel-tracking apps,” the report states. Such tactics increase the likelihood of victims contacting scammers first, thereby establishing a sense of trust.

Related Posts:

• Beware! Fake Chrome App “Mamont” Steals Banking Details
• Beware of Fake AI Photo Editors on Social Media: Malvertising Campaign Targets Credentials