Title: Android Malware Campaign “Neo_Net” Drains Bank Accounts Worldwide
Introduction:
A new virus targeting Android users has been draining bank accounts globally since 2021, aiming to steal sensitive bank details. The malware campaign, orchestrated by an attacker codenamed “Neo_Net,” has gained access to personally identifiable information (PII), enabling the perpetrator to impersonate victims and carry out fraudulent activities. Security experts have noted that “Neo_Net” primarily focuses on banking users in Spain and Chile, with major banks such as Santander, BBVA, and CaixaBank among the affected institutions.
Exploiting Unsophisticated Tools:
Despite using relatively unsophisticated tools, “Neo_Net” has achieved a high success rate, resulting in the theft of over €350,000 from victims. According to cybersecurity company Sentinel One, the attacker created convincing-looking landing pages resembling legitimate bank websites and ran an SMS campaign. Victims were prompted to click on a link and provide their identity details, which were then collected using a Telegram bot.
Tricking Victims and Stealing MFA Codes:
In some instances, attackers trick victims into downloading malicious Android apps disguised as security software but designed to steal multi-factor authentication (MFA) codes. These apps typically request SMS permissions upon installation. Fear-based tactics, such as claiming unauthorized access or account limitations, were used to lure victims into submitting their credentials. The stolen information was then extracted via a designated Telegram chat, effectively granting unrestricted access to the stolen data.
Magnitude of the Threat:
While the current recorded sum stolen stands at €350,000, the actual figure is expected to be much higher. Sentinel One notes that older trades and transactions that do not require MFA were not included in the total sum. The campaign, active from June 2021 to April 2023, suggests that the threat actor has likely been active for a longer period. Described as an “experienced cybercriminal,” “Neo_Net” not only runs malicious campaigns but also sells tools and services on the Dark Web.
The Ankarex Connection:
The campaign employed the proprietary SMS delivery platform Ankarex, actively promoted on “Neo_Net’s” Telegram channel. This platform allows users to upload funds via cryptocurrency transfers and launch their own Smishing (SMS phishing) campaigns. Despite predominantly targeting Spanish-speaking users, the campaign still poses a threat globally, having attacked clients of 50 financial institutions, with 30 of them based in Spain or Chile.
Widespread Banking Trojan Instances:
This type of banking Trojan attack is not an isolated incident. Just recently, the Anatsa banking Trojan was found behind multiple cases of fraud. Distributed via Android apps on the Google Play Store, Anatsa targeted nearly 600 financial apps worldwide, affecting victims in the United States, Germany, Austria, and Switzerland. Additionally, “Neo_Net” has collaborated with non-Spanish speakers, such as cybercriminal “devilteam666,” who offers malicious Google Ads services on their Telegram channel.
Conclusion:
With the growing prevalence of malware campaigns, especially targeting Android users, individuals must remain vigilant and exercise caution while handling their financial information through mobile devices. It is crucial to verify website authenticity, avoid clicking on suspicious links, and regularly update security software to protect against these evolving threats.
