Fake banking apps laced with malware remain a crucial factor in the success of threat actors. For the Yanbian gang, a criminal group in Yanbian, China that targets organizations across Asia, it’s a skill they have been honing for more than a decade.
Since 2013, the Yanbian Gang has been targeting South Korean Android mobile banking customers with malicious Android apps impersonating major banks, including Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank. RiskIQ’s threat research team examined some of the threat group’s most recent activity in this vector to examine their malware of choice as well as the large-scale hosting infrastructure they use to distribute and control it.
Hundreds of Korean language-specific apps were discovered across an extensive list of IP addresses during the researchers’ analysis of Yanbian Android apps. These apps were created to steal information from infected victims, such as loan application details, contacts, SMS messages, phone call details, call logs, and applications currently installed on the device.
Since December 2020, RiskIQ’s analysis has identified 377 individual samples of malicious Android apps developed and distributed by the Yanbian Gang. Many of these apps have multiple versions and set up services to run in the background of victim phones, both of which fit the Yanbian Gang’s known method of operation.
While these apps appear to be simple, they are capable of performing a variety of malicious activities that the victim is unaware of. Yanbian Gang actors obtain information not only about the victim, but also their contacts, installed applications, and even messages sent from the infected device. These apps also have a plethora of permissions that they can potentially abuse for malicious purposes that can be abused for malicious purposes.
One of the discoveries of research was references to various URL paths that led to a specific IP address via HTTP. The Yanbian Gang refers to these paths as “methods,” and they serve as Command and Control (C2), allowing the app to initiate device registration, assess device capabilities, steal information, and receive instructions from specified C2 servers.
Researchers at RiskIQ observed one of the samples communicating using only some of these “methods,” most likely due to the limited amount of data stored in their testing device and its lack of features. These communications were sent to the C2 server via encrypted HTTP POST and GET requests.
The Yanbian Gang continues to target South Korean users with malware, tactics, and targeting similar to that previously reported in 2015. However, the group has evolved to separate infrastructure based on function and to switch hosting providers. Yanbian Gang actively leverages web servers hosting their call-to-action and malicious application delivery, C2 servers, and servers running the Real-Time Messaging Protocol that receive call information, according to RiskIQ.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.