A cybercampaign targeting customers of Iranian banks has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards and crypto wallets, researchers say.
The campaign first came to light in July, when researchers from Sophos detailed a cluster of 40 credential-harvesting apps targeting customers of four major Iranian banks – Bank Mellat, Bank Saderat, Resalat Bank and Central Bank of Iran.
These apps mimicked legitimate versions found on Cafe Bazaar, a smartphone application marketplace popular in Iran, and were distributed through phishing websites.
Hackers were able to install and hide their copycat apps on victims' phones, harvesting logins, intercepting SMS messages, and stealing financial information.
This week, the US-based cybersecurity firm Zimperium revealed the existence of 245 more apps associated with the same, ongoing campaign that now targets customers of 12 Iranian banks.
In the new campaign, the hackers incorporated additional evasion tactics to fly under the radar and added more capabilities to their malware to make it easier to harvest credentials and steal data.
Besides banks, the attackers have also started probing for data relating to cryptocurrency platforms.
The fake apps have been limited to Android devices, but evidence suggests that the hackers are now likely working on a malware variant that targets iOS devices, the researchers said.
It is not yet clear which threat actor is behind the campaign and how many users were affected by it.