Attackers posing as job recruiters have launched a mobile-targeted phishing (mishing) campaign that tricks victims into downloading a malicious dropper that installs an updated variant of the Antidot banking trojan on a victim’s Android mobile device.
Researchers at Zimperium Labs said in a Dec. 10 post that the banking trojan variant — dubbed "AppLite Banker" — gives the attackers access to corporate credentials, applications, and data when the device gets used by an employee for remote access for their employer.
Along with its ability to mimic enterprise companies, the researchers said AppLite Banker also masquerades as Chrome and TikTok apps, demonstrating its wide-ranging target vectors, including full device take-over and application access.
Here’s how it works: Android users are lured into clicking on a link that takes them to a seemingly legitimate job application page. However, instead of landing their dream job, they unknowingly download the malicious dropper application. AppLite Banker then infiltrates their mobile devices, stealing sensitive financial information and compromising personal data.
This latest mobile-targeted phishing campaign represents a sophisticated evolution of techniques first seen in the Iranian Dream Job Campaign, now adapted for the mobile era, explained Stephen Kowski, Field CTO at SlashNext Email Security.
Kowski said while the original "Dream Job" campaign used LinkedIn messages and malicious attachments to target job seekers in the defense and aerospace sectors, today’s attacks have expanded to exploit mobile vulnerabilities through fraudulent job application pages and banking trojans.
“The threat actors have refined their social-engineering tactics, moving beyond simple document-based malware to deploy sophisticated mobile banking trojans that can steal credentials and compromise personal data, demonstrating how these campaigns continue to evolve and adapt to exploit new attack surfaces,” said Kowski.
Jason Soroko, senior fellow at Sectigo, added that this new wave of cyber scams underscores the evolving tactics used by cybercriminals to exploit job seekers who are motivated to make a prospective employer happy. By capitalizing on an individual’s trust in legitimate-looking job offers, attackers can infect mobile devices with sophisticated malware that targets financial data.
“The use of Android devices highlights the growing trend of mobile-specific phishing campaigns,” said Soroko. “The AppLite banking trojan’s ability to steal credentials from critical applications like banking and cryptocurrency makes this scam highly dangerous. As mobile phishing continues to rise, it’s crucial for individuals to remain vigilant about unsolicited job offers and always verify the legitimacy of links before clicking.”
