Cybersecurity researchers have discovered a new, large-scale mobile malware campaign that’s targeting Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps to steal sensitive personal data.
The cross-platform threat has been codenamed SarangTrap by Zimperium zLabs. Users in South Korea appear to be the primary focus.
“This extensive campaign involved over 250 malicious Android applications and more than 80 malicious domains, all disguised as legitimate dating and social media applications,” security researcher Rajat Goyal said.
The bogus domains, which impersonate legitimate app store listing pages, are used as a lure to trick users into installing these apps, resulting in the exfiltration of contact lists and images, all while keeping up an illusion of legitimacy.
Once installed, the Android apps also prompt the victim to enter an invitation code, after which it’s validated against a command-and-control (C2) server. The app then proceeds to request sensitive permissions that allow it access to SMS messages, contact lists, and files under the pretext of offering the advertised functionality.
Coupling the activation of the malicious behavior to an invitation code is, by turns, clever and sneaky as it allows the malware to evade dynamic analyses and antivirus scans and silently hoover data.
The iOS version of the campaign has been found to entice users into installing a deceptive mobile configuration profile on their device, and then use the configuration to facilitate the app installation to capture contacts, photos, and the photo library.
The campaign is said to be in active development, with new variants of the malware samples limiting themselves to collecting contacts, images, and device information to an external server. There is also evidence that the threat actors behind the activity have resorted to blackmailing victims with threats to share personal videos with family members.
“This unsettling story is not an isolated incident; it highlights the psychological manipulation and social engineering tactics that these campaigns employ to take advantage of emotional vulnerability,” Goyal said.
“Victims are enticed into installing malware with the promise of companionship, only to discover that they are caught in a cycle of surveillance, extortion, and humiliation.”
The disclosure comes in the wake of another campaign that has set up 607 Chinese-language domains to distribute malicious application files (APKs) posing as the Telegram messaging app via a QR code embedded on the site and execute remote commands in real-time to enable data theft, surveillance, and control over the device using the MediaPlayer API.
“The APK was signed with a v1 signature scheme, making it vulnerable to the Janus vulnerability on Android 5.0 – 8.0,” BforeAI said. “This vulnerability allows attackers to craft deceptive applications.”
“After crafting the malicious application, it is then repackaged using its original v1 signature. This modification goes undetected, allowing the compromised app to be installed without causing suspicion. In essence, it enables attackers to make an app more dangerous, redistribute it as an APK, and trick users (especially on older devices) into installing it while completely bypassing security checks.”
Mimicking trusted and popular online platforms has been a successful compromise vector, as evidenced by Android campaigns that are targeting Indian bank customers and Bengali-speaking users, particularly people from Bangladesh living in Saudi Arabia, Malaysia, and the United Arab Emirates, with malicious apps posing as financial services distributed via phishing sites and Facebook pages.
The applications are designed to deceive users into entering their personal information as part of a supposed account creation process, as well as capture data provided by them in the fake transaction interfaces engineered to simulate mobile money transfers, bill payments, and bank transfers. In reality, no actual transaction is carried out.
“While the attack techniques are not new, the campaign’s cultural targeting and sustained activity reflect how cybercriminals continue to adapt their strategies to reach specific communities,” McAfee Labs researcher Dexter Shin said.
The malware disseminated by impersonating Indian banking services, for its part, leverages Firebase for C2 operations and utilizes phishing pages to mimic genuine user interfaces and harvest a wide range of data, including debit card details and SIM information. It also features call forwarding and remote calling functions.
Another Asian country that has become the target of Android malware attacks is Vietnam, where phishing sites posing as financial and government institutions are being used to propagate a new banking trojan dubbed RedHook.
“It communicates to the command-and-control (C2) server using WebSocket and supports over 30 remote commands, enabling complete control over compromised devices,” Cyble said. “Code artifacts, including Chinese-language strings, suggest development by a Chinese-speaking threat actor or group.”
A notable feature of the RedHook is its combination of keylogging and remote access trojan (RAT) capabilities to conduct credential theft and financial fraud. It also abuses Android’s accessibility services to perform overlay attacks and leverages the MediaProjection API to capture screen content.
Although the campaign is new, an exposed AWS S3 bucket used by the threat actor has uncovered uploaded screenshots, fake banking templates, PDF documents, and images detailing the malware’s behavior dating back to November 27, 2024.
“The discovery of RedHook highlights the growing sophistication of Android banking trojans that combine phishing, remote access, and keylogging to carry out financial fraud,” the company added. “By leveraging legitimate Android APIs and abusing accessibility permissions, RedHook stealthily gains deep control over infected devices while remaining under the radar of many security solutions.”
Malicious Android APKs masquerading as popular brands and exploiting social engineering and off-market distribution channels have also been found to siphon data and hijack network traffic for monetization purposes, often with the end goal of simulating user activity to inflate ad metrics or redirect users through affiliate funnels for illicit revenue generation.
Besides incorporating checks for sandboxed and virtualized environments, the apps feature a modular design to turn on advanced functionality at will.
“It leverages the open-source tool ApkSignatureKillerEx to subvert Android’s native signature verification process, allowing the injection of a secondary payload (origin.apk) into the application’s directory,” Trustwave SpiderLabs said. “This effectively reroutes execution to malicious code while preserving the app’s appearance as a legitimate, properly signed package, both to the operating system and users.”
The campaign has not been attributed to any known threat actor or group, although the use of ad fraud tactics suggests a possible connection to Chinese-speaking criminal groups.
That’s not all. New research from iVerify has revealed that setting up new Android-focused campaigns can be as easy as renting a malware-as-a-service (MaaS) kit like PhantomOS or Nebula for a monthly subscription, further lowering the bar for cybercrime.
“Some of these kits come with features 2FA interception, the ability to bypass antivirus software, silent app installs, GPS tracking, and even phishing overlays that are specific to a brand,” researcher Daniel Kelley said. “The platforms come with everything they need, like support through Telegram, backend infrastructure, and built-in ways to get around Google Play Protect.”
Also offered on underground forums are crypters and exploit kits that allow the malware to stay under the radar and spread the infections at scale using social engineering techniques. One such tool is Android ADB Scanner, which looks for open Android Debug Bridge (ADB) ports and pushes a malicious APK file without the victim’s knowledge. The service is available for around $600-$750.
“Perhaps the most interesting development in this ecosystem is the commoditization of infected devices themselves,” Kelley noted. “So-called ‘install’ markets let cybercriminals buy access to already compromised Android devices in bulk.”
Markets such as Valhalla offer devices compromised by banking trojans like ERMAC, Hook, Hydra, and Octo in a chosen country for a fee. This approach obviates the need for attackers to distribute malware or infect devices on their own. Instead, they can just acquire a network of existing bots to carry out activities of their choice.
To mitigate the risks posed by such apps, it’s advised to remain cautious of apps requiring unusual permissions or invitation codes, avoid downloading apps from untrusted sources or unofficial app stores, and periodically review device permissions and installed profiles.
