Mobile malware, also known as mobile malicious software, is a type of malware that is specifically designed to target mobile devices, such as smartphones and tablets.
Recently a group of cybersecurity experts have uncovered a darknet marketplace called InTheBox that is dedicated to selling mobile malware. The person or group behind this criminal platform have been offering high quality web injects organized by location that can be bought by other malicious actors to launch their attacks.
It is believed that InTheBox has likely been active since at least January 2020, and according to researchers, it has become a major source of banking theft and fraud. The high quality, quantity, and range of malicious tools available for purchase on InTheBox are impressive to say the least, with over 1,849 different scenarios being offered to target financial institutions, e-commerce companies, payment systems, online retailers, and social media firms from over 45 countries, including the United States, the United Kingdom, Canada, Brazil, Colombia, Mexico, Saudi Arabia, Bahrain, Turkey, and Singapore.
Organizations targeted by these cybercriminals include Amazon, PayPal, Citi, Bank of America, Wells Fargo, and DBS Bank. In November 2022, the actor behind InTheBox released a significant update, adding almost 144 new web injects and improving their visual design.
According to data collected in Q4 2022 during DFIR (Digital Forensics and Incident Response) engagements with Fortune 500 companies by Resecurity, cybercriminals are particularly successful when attacking mobile apps and using the gained access for financial, identity or information theft.
InTheBox can be accessed over the Tor anonymity network and advertises a variety of web inject templates for sale, with the listing only being accessible after a customer is vetted by the administrator and the account is activated. Some of the Android banking trojans that are supported through the service include Alien, Cerberus, ERMAC (and its successor MetaDroid), Hydra, and Octo. The majority of high-demand injects are related to payment services, including digital banking and cryptocurrency exchangers.
Web injects are packages used in financial malware that leverage the adversary-in-the-browser attack vector to serve malicious HTML or JavaScript code in the form of an overlay screen when victims launch a banking, crypto, payments, e-commerce, email, or social media app.
These pages typically resemble a legitimate bank login web page and prompt unsuspecting users to input confidential data, such as credentials, payment card data, Social Security numbers, and card verification value, which is then used to compromise the bank account and conduct fraud.
Related Post: Navigating the world of cybersecurity: A beginners guide