A known vendor of Android mobile web injectable malware, InTheBox, has been increasing their stock of injectibles targeting retail banking, mobile payment systems, cryptocurrency exchanges, and e-commerce apps, a report from Cybernews shared.
An injectable malware uses maliciously crafted code that can be added to the original code of websites and web applications to execute commands and share information with attackers bypassing the existing security systems put in place by the publishers.
Organisations in countries including Brazil, India, Australia, Indonesia, the Philippines, Qatar, Saudi Arabia, Thailand, Japan, and the U.S.A. were found to be affected.
InTheBox, functions like an online marketplace for malware working through the Tor anonymity network to sell malicious codes to cybercriminals. Its shop offers web injects that come in compressed packages and include PNG format app icons and HTML files which contain JavaScript codes responsible for collecting sensitive information. These codes create a malicious overlay to disguise itself as the mobile app’s input form, the report shared.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
Researchers tracking the threat actor shared that the injection of malware begins with an interface that asks the infected user to input their mobile banking details such as ID, password, and mobile numbers. This information can subsequently be used to trick users, using another overlay, into entering their credit and debit card details.
InTheBox shop is known to offer a range of web injectable malware including Alien, Ermac, Octopus, MetaDroid, Cerberus, and Hydra for sale on the dark web.
Researchers at Cyble Research and Intelligence Labs (CRIL), who investigated the threat actors’ movements have advised users to download and install software only from trusted sources like an official app store and avoid opening any links received via messages or emails to ensure their security.
