Researchers at Cyble Research and Intelligence Labs (CRIL) reported fake e-shop scams targeting victims in Malaysia. According to the report, these Threat Actors were using Facebook ads services to impersonate the official pages of famous cleaning services. Once the users visited their fake pages, they were duped into downloading the malicious app from the phishing link shared by the Threat Actor.
The group used advertising campaigns for vehicle rental companies, online retailers, travel agencies, cleaning services, etc. and employed an Android banking Trojan while posing as pet stores and cleaning businesses. The criminals exploited the victims’ details to carry out fraudulent transactions after tricking the victims into downloading malicious apps.
E-shop scams continued in 2022

According to CRIL, Malaysia’s largest financial services group, Maybank, issued a public warning against fraudsters and the use of fake apps and social media campaigns. The warning also cautioned users against downloading applications from unofficial sources and websites.
The researchers at CRIL came across similar incidents in August 2022, wherein the users were tricked into purchasing low-cost packages related to IPTV subscriptions. The hackers allegedly used Facebook pages named “Premium TV Channel” to offer cheap IPTV subscriptions.
The fake Facebook pages were used to lure victims into contacting the perpetrators via services like WhatsApp, and then the Threat Actor tricks users into downloading the malicious application “EEPAD(Eng).3.1.apk. Since the application was supposed to provide cheap subscription packages, the user inadvertently gave their information and subscribed to the fake subscription service.
CRIL analyzes E-shop scam apps

CRIL analyzed the APKs (Android Application Package) involved in the E-scams and found malware relevantly used to target several bank accounts in 10 Malaysian banks. These banks include Agrobank, Bank Simpanan Nasional (BSN), Hong Leong BankMaybank, AmBank, Bank Islam, RHB Bank, CIMB Bank, Public Bank, OCBC Bank, and Bank Rakhyat.
Once the user shared their banking details and purchased the fake subscription packages, the Threat Actor then used this information and shared it with the Command and Control (C&C) Server “hxxps://superstore88[.]xyz/WTAppTv/”.
Numerous legitimate cleaning companies, like “KleanHouz Home Cleaning,” have come forward to report the continuous fraud. They cautioned their clients about seeking fraudulent benefits from scammers who were posing as the original companies. KleanHouz also mentioned the use of forged corporate certifications by scammers to persuade consumers to download the apps.

According to CRIL, the cybersecurity company has detected over 70 phishing sites’ activities in distributing Android malware via fake e-shops campaigns. These campaigns, which have been going on since April, spoof legitimate businesses using typosquatting (URL hijacking for malicious purposes) names.
Technical analysis of e-scam APKs

Cyble Research and Intelligence Labs did an in-depth analysis of BestPay, another malicious app used in e-scams in East Asia. The APK was named BestPay and had a package named com.app.ebayar. It used a 64 alphanumeric SHA256 Hash code. On the surface, the app looked and worked like any standard application and didn’t look suspicious.
However, upon reviewing its source code, the searchers found that the malware pretended to be a legitimate mobile payment application and used fake functionality and buttons to imitates paying for phones, energy, insurance, internet, virtual reality (VN), loans, and cable TV bills.

Upon launching the app, the malware displayed the bank name and the bill amount to be paid by the user. Once the user confirmed the bill and proceeds to pay it, the malware directed them to a phishing website URL created to look like the official website. The URL used in this case was hxxps://ebanking[.]hdbank.vn, and has targeted HDBank in Vietnam.