Sucuri discovers that cybercrime is exploiting fake Google reCAPTCHA to spread banking malware. The cyber criminal use impersonation and panic/bait with emails to entice victims to download the malicious code
The cyber security experts: The malicious PHP file in the mail determines which form of malware – either a .zip dropper or an .apk – to download to the visitor’s device
According to Sucuri, the PHP code then determines which form of malware – either a .zip dropper or a malicious .apk – to download to the visitor’s device. To make this determination, the malicious PHP checks the victim’s browser user agent again. If it detects that the visitor is using Android, it prompts a download of a malicious .apk file to the device. Once it is installed, it can be used for malicious purposes, as intercepting incoming SMS (including the ones related to Two-factor authentication, 2FA), recording audio and steal credentials. If the code does not detect an Android device, then another request is sent to the file with the parameter “?down” with the MD5 sum of the time, which prompts a malicious .zip download with similar characteristics.