Banking Trojans Attacking Android Users Mimic as Government and Legitimate Payment Apps

A sophisticated cybercriminal campaign has emerged targeting Indonesian and Vietnamese Android users with banking trojans disguised as legitimate government identity applications and payment services.

The malicious operation, active since approximately August 2024, employs advanced evasion techniques to deliver variants of the BankBot trojan family while maintaining an extensive infrastructure of over 100 domains.

The threat actors demonstrate significant operational sophistication through their use of fake Google Play Store pages and government service applications such as M-Pajak tax payment services and digital identity verification systems.

The campaign exploits user trust in official government platforms, creating highly convincing replicas that deceive victims into downloading malicious APK files containing banking trojans capable of stealing sensitive financial information and credentials.

DomainTools analysts identified the malware distribution pattern through monitoring suspicious site elements associated with spoofed Google Play Store websites.

The researchers uncovered an elaborate delivery mechanism designed to bypass traditional network security controls and evade automated detection systems commonly employed by cybersecurity frameworks.

Advanced WebSocket-Based Delivery Mechanism

The threat actors employ a remarkably sophisticated malware delivery system that leverages WebSocket technology to circumvent conventional security measures.

Rather than providing direct download links that security scanners can easily detect, the malicious sites utilize the Socket.IO library to establish real-time bidirectional communication channels between victim browsers and command servers.

When users click the Android download button, the system initiates a WebSocket connection using the command socket. Emit('startDownload', …).

The server responds by transmitting the malicious APK file in fragmented chunks rather than as a complete file transfer.

The browser collects these fragments through event listeners coded as socket. On('chunk', (chunk) => { chunks. Push(chunk); });, while simultaneously receiving progress updates that maintain the illusion of a legitimate download process.

Upon completion, the system combines all received chunks in memory and assigns the MIME type application/vnd.android.package-archive to create a proper APK file structure.

The delivery mechanism then generates a temporary local URL and programmatically triggers an invisible download link, prompting the browser’s standard file download interface.

This elaborate process effectively disguises malware distribution as encrypted WebSocket traffic, allowing malicious payloads to bypass network security systems configured to block direct APK downloads while remaining invisible to static URL-based security scanners that crawl websites for malicious links.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.