A clever attack on Pekao customers. They’ll wipe out your account before you blink
The CSIRT KNF team, in cooperation with CERT Orange Polska, discovered a new campaign in which fraudsters impersonate Pekao bank.
In a new phishing campaign, cybercriminals are using Facebook ads to distribute Android malware. For this purpose, they impersonate the Pekao SA bank and the PeoPay application. Installing an app on a phone or tablet may have serious consequences.
Fraudsters impersonate Pekao and PeoPay
As part of its operational activities, the CSIRT KNF team analyzed a sample of the application. It has the identifier “com.immune.park” and asks for access to many permissions, including: WiFi network, Bluetooth, writing and reading data from external memory, SMS, location access, as well as camera and microphone.
Some of these permissions are privacy critical, meaning the application has the ability to access sensitive user data and system resources.
– warns CSIRT KNF.
The analysis shows that the application requests SMS permissions and then opens the website “https(://)peo-pay-smart.ssmnoida(.)in/” (in some cases, the parameter “1/” is added to the URL ?land=riz&id=”). Additionally, in the WebView component configuration you can see the following settings:
- Third party cookies permission.
- Enable JavaScript support.
- Allowing JavaScript to automatically open windows.
- Allowing access to files.
- Set default magnification and other display options to improve compatibility and use.
- Setting a custom user-agent string for WebView (“Mozilla/5.0 (Linux; U; sugarisfree 2.0; en-us; Droid Build/ESD20panicake) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17”).
In addition, the application steals SMS messages, including unsent ones. According to experts, it has virtually full text messaging support. It probably also uses the WebView component to present a fake bank login page, which allows for theft of login credentials, and then obtains the authentication code via SMS.
In short, installing the application on your device is extremely dangerous and may lead to the theft of money from your account. The fake app’s details are:
- Application name PeoPay Smart (com.immune.park)
- Md5: b1940ef6bf923ec8495bc2f6ebcbe135
- Sha1: 967f951fff220f8903fc1ece4d10dc2820dc27f3
- Sha256:db0fba3e7e05c7800b533d9a3ac0cd12f4500c3ec17aba1bd77ba40461dae6e0