⚑ Rocket.net – Managed WordPress Hosting

⚑ MiltonMarketing.comΒ  Powered by Rocket.net – Managed WordPress Hosting

Bernard Aybouts - Blog - MiltonMarketing.com

Approx. read time: 6.7 min.

Post: Fake Google reCAPTCHA used to hide Android banking malware

Fake Google reCAPTCHA used to hide Android banking malware. The phishing campaign impersonates Google in attacks against banking institutions and their users.

Researchers have documented a recent phishing campaign targeting online banking users which masquerades as Google in its attempt to steal valuable credentials.

According to cybersecurityΒ researchers from Sucuri, the attack wave against a Polish bank and its users is impersonating Google reCAPTCHA systems and panic-eliciting techniques to prompt victims to click on malicious links embedded in scam emails.

The emails in question contain a fake confirmation for a recent transaction, alongside a link to a malicious .PHP file.

Messages sent to would-be victims ask them to ‘verify‘ these non-existent transactions by clicking on the link.

This attack method is nothing new, but the next stage is somewhat more unusual. If a victim fails to realize the message is fake and clicks on the link, they are not sent to a standard, fake replica of the bank, but rather the PHP file serves a fake 404 error page.

The page has a number of specifically defined user-agents which are limited to Google crawlers. If the request is not Google crawler-related — in other words, alternative search engines are in use — then the PHP script instead loads a fake Google reCAPTCHA made up of JavaScript and static HTML.

“This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed,” the researchers say. “It also doesn’t support audio replay, unlike the real version.”

The browser agent is then re-checked to ascertain how the victim has visited the page. A .zip dropper is on offer, alongside a malicious .APK reserved for Android users who fill in the CAPTCHA and download the payload.

Samples of the malware have beenΒ uploaded to VirusTotal. The malware is most often found in the wild in its Android form and is able to read a mobile device’s state, location, and contacts; scan and send SMS messages, make phone calls, record audio, and steal other sensitive information.

The Trojan is detected as Banker, BankBot, Evo-gen, Artemis, and more by antivirus software.

In January, researchers from Trend Micro uncoveredΒ an interesting campaignΒ relating to the Anubis banking Trojan. The team found two apps in the Google Play store, a currency converter and power saver, which were laden with malware which would only trigger when a user moved their device.

By using motion sensor data as a catalyst for execution, the Trojan attempted to prevent discovery by researchers making use of sandbox environments.


A recently-discovered phishing scam was found peddling malware, using a new technique to mask its malicious landing page: A fake Google reCAPTCHA system.

The campaign targeted a Polish bank and its users with emails, said researchers with Sucuri.Β These emails contained a link to a malicious PHP file, which eventually downloaded the BankBot malware onto victims’ systems.

This Android-targeted banking malware, first discovered in 2016, is a remotely controlled Android banking trojan capable of stealing banking details by impersonating bank apps, looking at text messages and displaying unsolicited push notifications. In this specific case, BankBot was scooping up various private data, including SMS and call logs, contacts and location, researchers said.

β€œDuring a recent investigation, we discovered a malicious file related to a phishing campaign that targeted a Polish bank,” said Luke Leak with Sucuri, in a ThursdayΒ analysis. β€œThis campaign employed both the impersonation and panic/bait techniques within an email in order to lure victims into downloading banking malware.”

The emails asked victims for confirmation for a recent transaction, along with a link to a malicious PHP file.Β Researchers said that users of the bank who saw the email would likely be alarmed that it was asking for confirmation of an unknown transaction, prompting them to click the malicious link.

β€œThis makes it a bit more unique from the phishing content that we typically find, which often consists of a PHP mailer and file(s) used to construct the phishing page itself,” said Leak. β€œIn most cases, it’s just a replica of the login page for whatever institution they are targeting.”

When the victims clicked on the link, the malicious PHP file would send them a fake β€œ404 error” page. The PHP code then loaded a fake Google reCAPTCHA using a combination of HTML elements and JavaScript.Β reCAPTCHAΒ is Google’s authentication mechanism Β used for distinguishing bots from true site users.

The fake reCAPTCHA looks real, and makes victims feel as though the landing page is legitimate, researchers said.

β€œThis page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed,” said Leak. β€œIt also doesn’t support audio replay, unlike the real version.”

The PHP code then determined which form of malware to download on the victim’s device.Β If the victim uses Android, it would drop a malicious .apk, and if not, it downloaded a .zip dropper.

Besides β€œBankBot,” the Android malware is also labeled as β€œBanker” and β€œArtemis” on VirusTotal by varying anti-virus programs.

β€œShortly after the discovery of the apps trojanized with BankBot on Google Play in the beginning of 2017, we have confirmed that the malicious apps were derived from source code made public on underground forums in December 2016,” said ESET researchers, in anΒ analysis of BankBot. β€œThe public availability of the code has led to a surge in both the number and sophistication of mobile banking trojans.”

Phishing scams haveΒ continuedΒ to step up their game over the past year, with bad actors are continuously updating their methods to become trickier. That includes using new tactics likeΒ Google TranslateΒ or Β custom fontsΒ to make the scams seem more legitimate.

Leak said this type of phishing campaign β€œcan cause serious headaches for website owners.”

β€œThe malicious directories used in these campaigns are uploaded to a website after it has been compromised,” said Leak. β€œWhen dealing with this type of malware, it is important to delete the files contained in a complaint, however; we strongly encourage administrators to scan all other existing website files and database for malware as well. You’ll also want to update all of your passwords to prevent the attackers from accessing the environment again.”


Related Videos:

Bernard Aybouts - Blog - MiltonMarketing.com


Related Posts:

Methods of teaching programming

Dharma Ransomware Uses Legit Antivirus Tool To Distract Victims

What’s behind this 1,000-character phishing URL?

AI and Machine Learning Exploit, Deepfake Videos, Now Harder to Detect

Banking Fraud Prevention: Cybersecurity Risks & Online Security

Thousands of Android apps have been creating a permanent record of everything you do

PHP

1.8 Million Users Attacked by Android Banking Malware, 300% Increase Since 2017

AI-powered thermal cameras could be used to crack your passwords

Protect Your Site from Malicious Requests

Chrome warns you if your username or passwords have been hacked

Designing an app in Pseudo code

ATM hacking has gotten so easy, the malware’s a game

Google investing $2.1m into kw programs supporting women in computer science, coding for youth

Introduction to JavaScript – CONSOLE

What is Kodi or XBMC?

The background-color CSS property

Introduction to JavaScript – Create a Variable: const

Reasons why website visitors stop reading before the end of your page

Privacy commissioner investigating security of patient health records at Alberta Health Services

Paginate Your WordPress Site Without Plugins

How to secure your Nest account and cameras and keep hackers at bay

Russian hackers are eight times faster than North Korean groups

Facebook’s chief AI scientist: Deep learning may need a new programming language

GitHub’s and more best FREE guides for Python developers

College graduates not learning a programming language that’s vital for top tech jobs.

Context in Outbound Links for High Ranking SEO

Google admits it forgot to tell users about its hidden spy microphone

About the Author: Bernard Aybout (Virii8)

Avatar of Bernard Aybout (Virii8)
I am a dedicated technology enthusiast with over 45 years of life experience, passionate about computers, AI, emerging technologies, and their real-world impact. As the founder of my personal blog, MiltonMarketing.com, I explore how AI, health tech, engineering, finance, and other advanced fields leverage innovationβ€”not as a replacement for human expertise, but as a tool to enhance it. My focus is on bridging the gap between cutting-edge technology and practical applications, ensuring ethical, responsible, and transformative use across industries. MiltonMarketing.com is more than just a tech blogβ€”it's a growing platform for expert insights. We welcome qualified writers and industry professionals from IT, AI, healthcare, engineering, HVAC, automotive, finance, and beyond to contribute their knowledge. If you have expertise to share in how AI and technology shape industries while complementing human skills, join us in driving meaningful conversations about the future of innovation. πŸš€