Authored by Dexter Shin
McAfee’s Cellular Analysis Crew found a brand new and energetic Android malware marketing campaign concentrating on Bengali-speaking customers, primarily Bangladeshi individuals dwelling overseas. The app poses as widespread monetary companies like TapTap Ship and AlimaPay. It’s distributed by way of phishing websites and FacebookFacekbook pages, and the app steals customers’ private and monetary data. The marketing campaign stays extremely energetic, with the command-and-control (C2) server operational and related to a number of evolving domains. Whereas the assault strategies should not new, the marketing campaign’s cultural concentrating on and sustained exercise mirror how cybercriminals proceed to adapt their methods to achieve particular communities. McAfee Cellular Safety already detects this menace as Android/FakeApp. For extra data, go to McAfee Cellular Safety.
Bangladeshi individuals dwelling overseas, notably in nations resembling Saudi Arabia, the UAE, Malaysia, and the UK, rely closely on cell cash companies to ship remittances and confirm their identities for varied functions. Companies like bKash, TapTap Ship, and AlimaPay are extensively used and trusted inside this group.
In 2024, annual remittances despatched to Bangladesh reached practically $26.6 billion, rating sixth globally and third in South Asia. This huge circulation of cross-border funds highlights the financial significance and digital engagement of the Bangladeshi diaspora.
Determine 1. High Recipients of Remittances in 2024 (Supply: World Financial institution)
As extra individuals use cell monetary apps, cybercriminals are discovering new methods to trick them utilizing faux apps and phishing web sites. Many customers belief apps shared by pals or household, and a few could not know tips on how to spot scams. This makes them simple targets for attackers.
In Might 2025, McAfee’s Cellular Analysis Crew recognized a malware marketing campaign designed to use these situations. The faux Android app impersonates well-known cash switch companies and steals private data such because the person’s title, e mail handle, telephone quantity, and photograph ID (resembling a passport or nationwide ID card). It additionally makes an attempt to gather monetary information like card numbers by way of faux in-app pages. Furthermore, the C2 server’s storage is publicly uncovered, which means that the stolen information may be accessed by anybody, which considerably will increase the danger of abuse.
Technical Findings
Distribution Strategies
Over the previous few weeks, these faux apps have continued to look, suggesting an energetic and sustained marketing campaign concentrating on Bengali-speaking customers. These apps are primarily distributed by way of phishing web sites that mimic trusted remittance companies, usually shared through faux Fb pages.
Determine 2. Screenshot of a phishing web site
The web page is written fully in Bengali, mimicking a respectable remittance service generally utilized by Bangladeshi expatriates. Beneath is a translated excerpt of the primary message proven on the touchdown web page:
Bengali (authentic):
আসসালামু আলাইকুম।
প্রবাসী ভাইদের জন্য সুখবর। যারা কাজের পাশাপাশি বাড়তি আয় করতে চান, তারা বিকাশ, ফ্ল্যাশলোড ব্যবসা করতে পারেন। সম্পূর্ণ বৈধ উপায়ে। আপনার হাতের মধ্যে রয়েছে মোবাইলের মাধ্যমে। মোবাইল ব্যাংকিং করুন খুব সহজেই।
English (translation):
Peace be upon you.
Excellent news for our brothers dwelling overseas. For those who’re seeking to earn additional revenue alongside together with your job, you are able to do enterprise with bKash or FlashLoad in a totally authorized manner. Every thing is inside your attain by way of cell. Cellular banking could be very simple.
Along with phishing web sites, the attackers additionally created faux Fb pages that intently resemble respectable remittance companies. These pages usually reuse official logos, promotional photographs, and even movies taken from actual monetary platforms to look reliable. Nonetheless, the positioning hyperlinks on these pages level to phishing web sites internet hosting the malicious app.
Determine 3. Faux Fb web page mimicking a respectable remittance service
Faux App Evaluation
As soon as put in, the faux app instantly presents an interface that intently resembles a respectable remittance utility. It helps each Bengali and English language choices and reveals realistic-looking alternate charges.
Determine 4. Preliminary UI of the faux TapTap Ship app
Customers can choose from a listing of nations with giant Bangladeshi expatriate populations, resembling Maldives, Dubai, Oman, Saudi Arabia, Malaysia, Canada, and India, to simulate cash transfers to Bangladeshi Taka (BDT). These particulars are seemingly included to ascertain belief and make the app seem purposeful. Nonetheless, these screens function bait to encourage customers to proceed with account creation and enter private data. As customers proceed by way of the registration circulation, the app requests more and more delicate information in a number of phases. First, it requests the person’s e mail handle and full title. Then, it prompts them to pick out their nation of residence and supply a legitimate cell quantity. Subsequent, customers are requested to decide on an account sort, both “Private” or “Agent”, a distinction generally seen in actual remittance platforms.
Determine 5. Multi-step registration circulation (1)
Following this, the app reaches its most delicate stage: it asks the person to take and add a photograph of an official ID, resembling a passport, nationwide ID (NID), or an e-commerce verification photograph. This request is made within the native language and framed as a requirement to finish account setup. After importing the ID, customers are then requested to create a login password and a 5-digit PIN, similar to actual monetary apps. This step makes the app really feel extra reliable and safe, however the collected credentials may later be utilized in credential stuffing assaults. All of this data is shipped to the C2 server and saved, making it out there for future fraud or identification theft.
Determine 6. Multi-step registration circulation (2)
After finishing the registration course of, customers are taken to a completely designed dashboard. The interface mimics an actual monetary or remittance app, full with icons for cash switch, invoice cost, cell banking, and even buyer help options.
Determine 7. The faux TapTap Ship app’s important dashboard
The malware consists of a number of faux transaction interfaces. These screens simulate cell cash transfers, invoice funds, and financial institution transfers utilizing logos from actual companies. Though no precise transaction is carried out, the app collects all entered data resembling telephone numbers, account particulars, PINs, and cost quantities. This information is then transmitted to the C2 server.
Determine 8. Faux transaction screens that imitate actual monetary companies
C2 Server and Information Exfiltration
All the knowledge collected by the faux app, together with credentials, contact particulars, and photograph IDs, is saved on the C2 server. Nonetheless, the server lacks primary safety settings. Listing itemizing is enabled, which implies anybody can entry the uploaded recordsdata with out authentication. Throughout our investigation, we discovered that one of many C2 domains contained 297 picture recordsdata. These recordsdata seem like photograph IDs uploaded by customers through the registration course of.
Determine 9. Publicly accessible listing itemizing on the C2 server
These ID photographs embody extremely delicate private data and are publicly accessible. If downloaded or misused, they might pose a critical privateness and identification theft threat.
Determine 10. Instance of a delicate photograph ID picture uploaded throughout app registration
Determine 11. Geographic distribution of contaminated units
As anticipated, telemetry reveals exercise in nations with giant Bangladeshi populations overseas, resembling Saudi Arabia, Malaysia, Bangladesh, and the United Arab Emirates. This aligns with the app’s concentrating on of Bengali-speaking customers by way of culturally acquainted language and visuals. The marketing campaign stays energetic, with new phishing domains and variants persevering with to look. Given the evolving nature of this menace and its use of trusted platforms like Fb to distribute malicious content material, customers ought to keep cautious when encountering monetary service promotions by way of social media or unknown web sites. We suggest downloading apps solely from trusted sources resembling Google Play, avoiding hyperlinks shared through social media, and being additional cautious when requested to supply private or banking data. Utilizing cell safety software program that may detect and block these threats can also be strongly suggested.
Indicators of Compromise (IOCs)
