A sophisticated mobile phishing campaign targeting job seekers intended to install dangerous malicious software on their phones was revealed Tuesday by security researchers.
The campaign discovered by Zimperium zLabs targets Android mobile phones and aims to distribute a variant of the Antidot banking trojan that the researchers have dubbed AppLite Banker.
“The AppLite banking trojan’s ability to steal credentials from critical applications like banking and cryptocurrency makes this scam highly dangerous,” said Jason Soroko, a senior fellow at Sectigo, a certificate lifecycle management provider in Scottsdale, Ariz.
“As mobile phishing continues to rise, it’s crucial for individuals to remain vigilant about unsolicited job offers and always verify the legitimacy of links before clicking,” he told TechNewsWorld.
“The AppLite banking trojan requires permissions through the phone’s accessibility features,” added James McQuiggan, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“If the user is unaware,” he told TechNewsWorld, “they can allow full control over their device, making personal data, GPS location, and other information available for the cybercriminals.”
‘Pig Butchering’ Tactic
In a blog on Zimperium’s website, researcher Vishnu Pratapagiri explained that attackers present themselves as recruiters, luring unsuspecting victims with job offers. As part of their fraudulent hiring process, he continued, the phishing campaign tricks victims into downloading a malicious application that acts as a dropper, eventually installing AppLite.
“The attackers behind this phishing campaign demonstrated a remarkable level of adaptability, leveraging diverse and sophisticated social engineering strategies to target their victims,” Pratapagiri wrote.
A key tactic employed by the attackers involves masquerading as a job recruiter or HR representatives from well-known organizations, he continued. Victims are enticed to respond to fraudulent emails, carefully crafted to resemble authentic job offers or requests for additional information.
“People are desperate to get a job, so when they see remote work, good pay, good benefits, they text back,” noted Steve Levy, principal talent advisor with DHI Group, a career marketplace for candidates seeking technology-focused roles and employers looking to hire tech talent globally, in Centennial, Colo.
“That starts the snowball rolling,” he told TechNewsWorld. “It’s called pig butchering. Farmers will fatten a pig little by little, so when it’s time to cook it, they’re really big and juicy.”
After the initial communication, Pratapagiri explained that the threat actors direct victims to download a purported CRM Android application. While appearing legitimate, this application functions as a malicious dropper, facilitating the deployment of the primary payload onto the victim’s device.
diagram of AppLite malware attack sequence
Illustration of one of the methods employed to distribute and execute the AppLite malware on the victim’s mobile device. (Credit: Zimperium)
Dramatic Shift to Mobile Attacks
Stephen Kowski, field CTO at SlashNext, a computer and network security company in Pleasanton, Calif., noted that the AppLite campaign represents a sophisticated evolution of techniques first seen in Operation Dream Job, a global campaign run in 2023 by the infamous North Korean Lazarus group.
While the original Operation Dream Job used LinkedIn messages and malicious attachments to target job seekers in the defense and aerospace sectors, today’s attacks have expanded to exploit mobile vulnerabilities through fraudulent job application pages and banking trojans, he explained.
“The dramatic shift to mobile-first attacks is evidenced by the fact that 82% of phishing sites now specifically target mobile devices, with 76% using HTTPS to appear legitimate,” he told TechNewsWorld.
“The threat actors have refined their social engineering tactics, moving beyond simple document-based malware to deploy sophisticated mobile banking trojans that can steal credentials and compromise personal data, demonstrating how these campaigns continue to evolve and adapt to exploit new attack surfaces,” Kowski explained.
“Our internal data shows that users are four times more likely to click on malicious emails when using mobile devices compared to desktops,” added Mika Aalto, co-founder and CEO of Hoxhunt, a provider of enterprise security awareness solutions in Helsinki.
“What’s even more concerning is that mobile users tend to click on these malicious emails at an even larger rate during the late night hours or very early in the morning, which suggests that people are more vulnerable to attacks on mobile when their defenses are down,” he told TechNewsWorld. “Attackers are clearly aware of this and are continually evolving their tactics to exploit these vulnerabilities.”
This new wave of cyber scams underscores the evolving tactics used by cybercriminals to exploit job seekers who are motivated to make a prospective employer happy, observed Soroko.
“By capitalizing on individuals’ trust in legitimate-looking job offers, attackers can infect mobile devices with sophisticated malware that targets financial data,” he said. “The use of Android devices, in particular, highlights the growing trend of mobile-specific phishing campaigns.”
“Be careful what you sideload on an Android device,” he cautioned.
Enterprises Need Protection, Too
DHI’s Levy noted that attacks on job seekers aren’t limited to mobile phones. “I don’t think this is simply relegated to mobile phones,” he said. “We’re seeing this on all the social platforms. We’re seeing this on LinkedIn, Facebook, TikTok, and Instagram.”
“Not only are these scams common, they’re very insidious,” he declared. “They prey on the emotional situation of job seekers.”
“I probably get three to four of these text inquiries a week,” he continued. “They all go into my junk folder automatically. These are the new versions of the Nigerian prince emails that ask you to send them $1,000, and they’ll give you $10 million back.”
Beyond its ability to mimic enterprise companies, AppLite can also masquerade as Chrome and TikTok apps, demonstrating a wide range of target vectors, including full device takeover and application access.
“The level of access provided [to] the attackers could also include corporate credentials, application, and data if the device was used by the user for remote work or access for their existing employer,” Pratapagiri wrote.
“As mobile devices have become essential to business operations, securing them is crucial, especially to protect against the large variety of different types of phishing attacks, including these sophisticated mobile-targeted phishing attempts,” said Patrick Tiquet, vice president for security and architecture of Keeper Security, a password management and online storage company, in Chicago.
“Organizations should implement robust mobile device management policies, ensuring that both corporate-issued and BYOD devices comply with security standards,” he told TechNewsWorld. “Regular updates to both devices and security software will ensure that vulnerabilities are promptly patched, safeguarding against known threats that target mobile users.”
Aalto also recommended the adoption of human risk management (HRM) platforms to tackle the growing sophistication of mobile phishing attacks.
“When a new attack is reported by an employee, the HRM platform learns to automatically find future similar attacks,” he said. “By integrating HRM, organizations can create a more resilient security culture where users become active defenders against mobile phishing and smishing attacks.”