A cybercrime threat actor known as Neo_Net stole hundreds of thousands of euros and compromised the personal information of thousands of victims in an Android mobile malware campaign targeting financial institutions globally.
The smishing campaign ran from June 2021 to April 2023 and was focused on Spanish and Chilean banks, including major banks such as Santander, BBVA and CaixaBank. Some other major targets include Deutsche Bank, Crédit Agricole and ING.
“Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims’ bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims,” SentinelOne researchers said in a blog post.
Neo_Net has significantly expanded his operation, establishing and renting out phishing panels, smishing software, and Android trojans to multiple affiliates. The threat actor has also engaged in sales of compromised victim data to third parties and has launched a Smishing-as-a-Service offering named Ankarex. The platform has been active since at least May 2022.
The multi-stage attack starts with SMS phishing, which involves various scare tactics aimed at tricking victims into clicking on fake landing pages to collect and exfiltrate their credentials via Telegram.
The threat actor used various techniques to bypass the Multi-Factor Authentication (MFA) mechanisms commonly employed by banking apps, such as tricking the victims into installing a malicious Android app disguised as a security application on their device.
“In reality, these Android trojans functioned as modified versions of the publicly available Android SMS spyware known as SMS Eye. Some threat actors further obfuscated the trojan using public packers to evade detection by anti-malware solutions. These Android trojans covertly exfiltrated incoming SMS messages to a distinct dedicated Telegram chat,” the researchers said.
The researchers were able to trace Neo_Net’s IP addresses indicating that he currently resides in Mexico. Neo_Net mainly operates in Spanish-speaking countries and communicates predominantly in Spanish with his affiliates, although he was also observed communicating with non-Spanish speakers such as “devilteam666” who offers malicious Google Ads services on his Telegram channel.