[ad_1]
Authored by Dexter Shin
McAfee’s Mobile Research Team found a brand new and energetic Android malware marketing campaign focusing on Bengali-speaking customers, primarily Bangladeshi folks dwelling overseas. The app poses as common monetary companies like TapTap Send and AlimaPay. It is distributed by phishing websites and FacebookFacekbook pages, and the app steals customers’ private and monetary info. The marketing campaign stays extremely energetic, with the command-and-control (C2) server operational and linked to a number of evolving domains. While the assault methods will not be new, the marketing campaign’s cultural focusing on and sustained exercise mirror how cybercriminals proceed to adapt their methods to achieve particular communities. McAfee Mobile Security already detects this menace as Android/FakeApp. For extra info, go to McAfee Mobile Security.
Bangladeshi folks dwelling overseas, significantly in international locations reminiscent of Saudi Arabia, the UAE, Malaysia, and the UK, rely closely on cellular cash companies to ship remittances and confirm their identities for varied functions. Services like bKash, TapTap Send, and AlimaPay are broadly used and trusted inside this neighborhood.
In 2024, annual remittances despatched to Bangladesh reached almost $26.6 billion, rating sixth globally and third in South Asia. This huge circulation of cross-border funds highlights the financial significance and digital engagement of the Bangladeshi diaspora.
Figure 1. Top Recipients of Remittances in 2024 (Source: World Bank)
As extra folks use cellular monetary apps, cybercriminals are discovering new methods to trick them utilizing pretend apps and phishing web sites. Many customers belief apps shared by buddies or household, and a few might not know easy methods to spot scams. This makes them straightforward targets for attackers.
In May 2025, McAfee’s Mobile Research Team recognized a malware marketing campaign designed to take advantage of these situations. The pretend Android app impersonates well-known cash switch companies and steals private info such because the consumer’s title, e-mail handle, cellphone quantity, and photograph ID (reminiscent of a passport or nationwide ID card). It additionally makes an attempt to gather monetary knowledge like card numbers by pretend in-app pages. Moreover, the C2 server’s storage is publicly uncovered, which means that the stolen knowledge could be accessed by anybody, which considerably will increase the danger of abuse.
Technical Findings
Distribution Methods
Over the previous few weeks, these pretend apps have continued to seem, suggesting an energetic and sustained marketing campaign focusing on Bengali-speaking customers. These apps are primarily distributed by phishing web sites that mimic trusted remittance companies, usually shared through pretend Facebook pages.
Figure 2. Screenshot of a phishing web site
The web page is written completely in Bengali, mimicking a professional remittance service generally utilized by Bangladeshi expatriates. Below is a translated excerpt of the principle message proven on the touchdown web page:
Bengali (unique):
আসসালামু আলাইকুম।
প্রবাসী ভাইদের জন্য সুখবর। যারা কাজের পাশাপাশি বাড়তি আয় করতে চান, তারা বিকাশ, ফ্ল্যাশলোড ব্যবসা করতে পারেন। সম্পূর্ণ বৈধ উপায়ে। আপনার হাতের মধ্যে রয়েছে মোবাইলের মাধ্যমে। মোবাইল ব্যাংকিং করুন খুব সহজেই।
English (translation):
Peace be upon you.
Good information for our brothers dwelling overseas. If you’re trying to earn further revenue alongside together with your job, you are able to do enterprise with bKash or FlashLoad in a totally authorized means. Everything is inside your attain by cellular. Mobile banking could be very straightforward.
In addition to phishing web sites, the attackers additionally created pretend Facebook pages that intently resemble professional remittance companies. These pages usually reuse official logos, promotional pictures, and even movies taken from actual monetary platforms to seem reliable. However, the positioning hyperlinks on these pages level to phishing web sites internet hosting the malicious app.
Figure 3. Fake Facebook web page mimicking a professional remittance service
Fake App Analysis
Once put in, the pretend app instantly presents an interface that intently resembles a professional remittance software. It helps each Bengali and English language choices and exhibits realistic-looking alternate charges.
Figure 4. Initial UI of the pretend TapTap Send app
Users can choose from an inventory of nations with giant Bangladeshi expatriate populations, reminiscent of Maldives, Dubai, Oman, Saudi Arabia, Malaysia, Canada, and India, to simulate cash transfers to Bangladeshi Taka (BDT). These particulars are seemingly included to determine belief and make the app seem purposeful. However, these screens function bait to encourage customers to proceed with account creation and enter private info. As customers proceed by the registration circulation, the app requests more and more delicate knowledge in a number of levels. First, it requests the consumer’s e-mail handle and full title. Then, it prompts them to pick their nation of residence and supply a sound cellular quantity. Next, customers are requested to decide on an account kind, both “Personal” or “Agent”, a distinction generally seen in actual remittance platforms.
Figure 5. Multi-step registration circulation (1)
Following this, the app reaches its most delicate stage: it asks the consumer to take and add a photograph of an official ID, reminiscent of a passport, nationwide ID (NID), or an e-commerce verification photograph. This request is made within the native language and framed as a requirement to finish account setup. After importing the ID, customers are then requested to create a login password and a 5-digit PIN, similar to actual monetary apps. This step makes the app really feel extra reliable and safe, however the collected credentials might later be utilized in credential stuffing assaults. All of this info is shipped to the C2 server and saved, making it out there for future fraud or id theft.
Figure 6. Multi-step registration circulation (2)
After finishing the registration course of, customers are taken to a totally designed dashboard. The interface mimics an actual monetary or remittance app, full with icons for cash switch, invoice cost, cellular banking, and even buyer help options.
Figure 7. The pretend TapTap Send app’s important dashboard
The malware consists of a number of pretend transaction interfaces. These screens simulate cellular cash transfers, invoice funds, and financial institution transfers utilizing logos from actual companies. Although no precise transaction is carried out, the app collects all entered info reminiscent of cellphone numbers, account particulars, PINs, and cost quantities. This knowledge is then transmitted to the C2 server.
Figure 8. Fake transaction screens that imitate actual monetary companies
C2 Server and Data Exfiltration
All the data collected by the pretend app, together with credentials, contact particulars, and photograph IDs, is saved on the C2 server. However, the server lacks fundamental safety settings. Directory itemizing is enabled, which implies anybody can entry the uploaded information with out authentication. During our investigation, we discovered that one of many C2 domains contained 297 picture information. These information seem like photograph IDs uploaded by customers through the registration course of.
Figure 9. Publicly accessible listing itemizing on the C2 server
These ID pictures embody extremely delicate private info and are publicly accessible. If downloaded or misused, they might pose a severe privateness and id theft danger.
Figure 10. Example of a delicate photograph ID picture uploaded throughout app registration
Figure 11. Geographic distribution of contaminated gadgets
As anticipated, telemetry exhibits exercise in international locations with giant Bangladeshi populations overseas, reminiscent of Saudi Arabia, Malaysia, Bangladesh, and the United Arab Emirates. This aligns with the app’s focusing on of Bengali-speaking customers by culturally acquainted language and visuals. The marketing campaign stays energetic, with new phishing domains and variants persevering with to seem. Given the evolving nature of this menace and its use of trusted platforms like Facebook to distribute malicious content material, customers ought to keep cautious when encountering monetary service promotions by social media or unknown web sites. We suggest downloading apps solely from trusted sources reminiscent of Google Play, avoiding hyperlinks shared through social media, and being further cautious when requested to supply private or banking info. Using cellular safety software program that may detect and block these threats can also be strongly suggested.
Indicators of Compromise (IOCs)
