Warning: Fake Remittance Apps Target Bangladeshi Expats, Stealing IDs & Financial Data

McAfee’s Mobile Research Team has uncovered a highly active Android malware campaign targeting Bengali-speaking users, particularly Bangladeshi expatriates living in countries like Saudi Arabia, the UAE, Malaysia, and the UK.

The campaign cleverly disguises malware as legitimate financial apps such as TapTap Send and AlimaPay, two services widely used for remittances and mobile banking. Delivered through phishing websites and fake Facebook pages, the apps steal sensitive personal and financial information under the guise of helping users send money home.

“While the attack techniques are not new, the campaign’s cultural targeting and sustained activity reflect how cybercriminals continue to adapt their strategies to reach specific communities,” McAfee stated.

With $26.6 billion in remittances sent to Bangladesh in 2024—ranking sixth globally—cybercriminals have found a rich target environment. These fake apps prey on trust, cultural familiarity, and economic necessity.

“Bangladeshi people living abroad… rely heavily on mobile money services to send remittances and verify their identities for various purposes,” McAfee explains.

Phishing websites written entirely in Bengali and fake Facebook pages mimicking real financial brands are used to trick users into downloading the malware.

Once installed, the malicious app launches a convincing interface supporting Bengali and English, with realistic exchange rates and a dashboard offering typical features like money transfer, bill pay, and customer support.

The app guides users through a multi-stage registration flow, prompting:

• Full name and email
• Country of residence and mobile number
• Account type (Personal/Agent)
• Photo of official ID (passport, NID)
• Login password and 5-digit PIN

“This step makes the app feel more trustworthy and secure, but the collected credentials could later be used in credential stuffing attacks,” McAfee warns.

The fake app simulates a functional remittance platform but performs no real transactions. Instead, all entered information—including phone numbers, payment amounts, and banking credentials—is silently exfiltrated to a Command-and-Control (C2) server.

Shockingly, the C2 server lacks basic security protocols. Directory listing is enabled, allowing anyone to browse and download sensitive data.

“We found that one of the C2 domains contained 297 image files… photo IDs uploaded by users during the registration process.”

These exposed IDs present a grave risk for identity theft, fraud, and account takeovers.

Telemetry data shows infections in:

• Saudi Arabia
• Malaysia
• UAE
• Bangladesh

This geographic alignment further confirms the campaign’s focus on the Bangladeshi diaspora.

McAfee urges users to:

• Avoid downloading apps from unofficial links
• Be skeptical of remittance promotions on social media
• Use mobile security software capable of detecting threats like Android/FakeApp
• Download only from Google Play or trusted app stores

“Users should stay cautious when encountering financial service promotions through social media or unknown websites,” McAfee advises.

Related Posts:

• New Android Banking Trojan Targets Indian Users Through Fake Apps
• McAfee: Mining cryptocurrencies with a PC is dangerous
• Beware of Fake AI Photo Editors on Social Media: Malvertising Campaign Targets Credentials
• Google ban fake ID apps on Play Store