Researchers have recently discovered a concerning trend in Vietnam where individuals are falling victim to fraudulent apps.

HelloTeacher malware to steal banking data

The motivation behind specifically targeting Vietnamese individuals remains unclear. Nevertheless, scammers are distributing infected messaging applications bearing names of popular messaging apps to deceive and victimize unsuspecting users.

CRIL researchers assigned the name Helloteacher to the Android spyware based on the presence of the term within the source code’s test service.

The data the Helloteacher Malware could steal from devices are as follows:

1. Contacts
2. SMSes
3. Photos
4. Applications installed
5. Taking pictures using the camera
6. Recording the device screen

Applications used by the HelloTeacher malware targeting Vietnamese people

“HelloTeacher malware disguises itself as a popular messaging application like Viber or Kik Messenger, luring its targets into installing the malicious application,” the Cyble blog read.

“The targeted user could be new users of viber or may already be using messaging apps. The source of the malware is unclear but we suspect it could spread via phishing link received via SMS or email,” a CRIL researcher told The Cyber Express.

“Threat Actor may use WhatsApp icon as well to appear legitimate, so user should avoid installing WhatsApp app from any untrusted source.”

The CRIL researcher further advised users to prioritize downloading apps from legitimate sources such as the Google Play Store, among others.

They emphasized the importance of avoiding downloading apps from links shared through messages and encouraged users to be cautious and skeptical of suspicious sources.

Workings of the HelloTeacher malware to steal banking app information

Scammers used a banking trojan to integrate the spyware by abusing an accessibility service. They focused on three Vietnamese bank apps. They were as follows:

1. TPBank Mobile
2. MB Bank
3. VietinBank iPay

The code of the malware aimed to steal the account balance from TPBank Mobile and it was found inputting details in the MB Bank application likely to make transactions without the knowledge of the users.

This module was found to be incomplete and hence led researchers to believe that it was still a work-in-progress malware. The following observations were made by testing the hash value “00c614ce1a21b1339133240403617e9edc9f2afc9df45bfa7de9def31be0930e” –

1. The fraudulent messaging app seeks permission to enable the Accessibility service.
2. It then abuses the permission to further auto-grant itself to other permissions.
3. The app then launches the banking trojan.
4. Along with the above steps, the HelloTeacher malware establishes a connection with the Command and Control server to send the stolen data at – hxxp://api.sixmiss[.]com/abb-api/client/
5. To send device information, the banking trojan in messaging app uses /status in the URL.
6. It uses /log for the malware to send error logs to the C&C server.
7. /data is used to send stolen SMSes, and other data to the hackers.

The HelloTeacher malware targets the information related to the password and username in both English and Vietnamese languages. However, the code for this function was found to be incomplete. The malware can also prevent the uninstallation of the fraudulent app, perform automated gestures, and change the display on the blank screen.

Besides the above functions, the HelloTeacher malware was also found to have a test service called ‘HelloTeacherService’ which was triggered by the AlarmReceiver.

The researchers did not determine the specific functionality of the malware at the time. However, they acknowledged that its coding may be altered by the hackers in the future, potentially revealing more about its capabilities.

The codes also included strings in the Chinese language. This could be pointing toward the origin of the developers of the HelloTeacher malware, or it can be a ploy to distract the researchers.

Mitigation and preventive measures to avoid being targeted by HelloTeacher malware

The CRIL researcher noted some ways users can maintain caution and avoid falling prey to this fraudulent messaging app scam. “One crucial red flag is receiving messaging app downloads from suspicious websites, especially those received through SMS or email,” they told The Cyber Express.

They further added that the APK files must not be downloaded from such sources. “The HelloTeacher malware, for instance, impersonates messaging apps but lacks any legitimate messaging functionality. If a user encounters such a fake app, it is important to promptly uninstall it.”

If users notice that the downloaded messaging app doesn’t function as intended, they should report it to the appropriate officials and app stores. By doing so, they can help in addressing the issue and preventing others from being affected.