Fake Apps and Malware Surge Across Asia’s Mobile Networks
Cybersecurity researchers have identified a large-scale mobile malware campaign dubbed SarangTrap, targeting Android and iOS users in South Korea and other parts of Asia. The attackers use fake apps disguised as dating, social networking, cloud storage, and car service platforms to steal sensitive data and exploit victims.
According to the recent report, the campaign involved over 250 malicious Android apps and 80+ fake domains, all mimicking legitimate app store pages to lure unsuspecting users.
How SarangTrap Tricks Users
- Fake Android apps prompt users to enter an invitation code, which activates malicious behavior only after being verified with a command-and-control (C2) server.
- The app then requests extensive permissions, including access to SMS, contacts, images, and files, under the pretense of offering the advertised features.
- This method allows the malware to evade antivirus tools and automated analysis.
- On iOS, users are manipulated into installing a malicious mobile configuration profile that enables the exfiltration of contact data and media files.
Notably, the malware is still evolving, with newer variants focused on data theft and blackmail, including threats to leak personal videos to victims’ families.
Beyond SarangTrap: Telegram Clones and Banking Fraud
In a related campaign, over 600 fake Chinese-language websites are distributing malicious Telegram APKs that exploit a known Android vulnerability (Janus) to bypass signature checks and install backdoored apps capable of real-time data theft and remote control.
Meanwhile, fake financial apps are being used to target:
- Indian bank customers
- Bengali-speaking users in the Middle East
- Vietnamese users through government/phishing portals
These applications harvest:
- Personal identity and banking details
- SIM card and device metadata
- Fake transaction inputs to simulate money transfers
One malware family, RedHook, targets Vietnam and uses WebSocket communication to run over 30 remote commands, enabling:
- Full device takeover
- Credential theft via keylogging
- Screen capture using MediaProjection API
- Overlay attacks through Android’s accessibility features
Modular Malware and Monetization Techniques
The campaigns don’t stop at data theft. Researchers have also discovered malware using:
- Firebase for C2 operations
- Call forwarding and silent remote calling
- Ad fraud by mimicking user behavior or hijacking network traffic
One particularly stealthy tactic involves injecting a malicious payload (origin.apk) into a legitimate app using ApkSignatureKillerEx, making it appear properly signed and undetectable by Android’s verification system.
Malware-as-a-Service (MaaS): The Dark Web’s Role
New findings reveal that setting up these campaigns is now easier than ever, thanks to MaaS platforms like PhantomOS and Nebula, which offer:
- 2FA bypass
- Silent installs
- GPS tracking
- Brand-specific phishing overlays
- Telegram-based support
In addition, underground tools like Android ADB Scanner can search for open Android Debug Bridge (ADB) ports and silently install malware, available for $600–$750.
“The commoditization of infected devices has created entire underground markets,” says researcher.
Services like Valhalla even let cybercriminals buy access to infected devices in bulk, using trojans like ERMAC, Hydra, Hook, and Octo to carry out malicious tasks without needing to spread malware themselves.
Tactics Used by Cybercriminals
- Social engineering via fake app stores and messaging
- Psychological manipulation, blackmail, and emotional exploitation
- Abuse of Android’s legitimate APIs and permissions
- Malware that bypasses Google Play Protect and AV tools
Recommended Actions
- Report suspicious domains and apps to relevant platforms
- Avoid sideloading APKs from unofficial sources
- Disable installation from unknown sources
- Inspect app permissions carefully
- Use mobile security tools with real-time threat detection
- Enable 2FA and monitor device activity
Sleep well, we got you covered.
