PETALING JAYA: Maybank has released an alert urging customers to refer to an advisory by the Malaysia Computer Emergency Response Team (MyCert) about the latest fraud campaign, known as SMSSpy, which is targeting Internet users in the country.

According to MyCert, cybercriminals are using the Android malware to steal victims’ online banking credentials.

“Once installed, this malicious app is able to view any SMS sent to the mobile phone, which includes obtaining TAC numbers to perform Internet banking transactions,” Maybank said in the post on Facebook.

ALSO READ: Bank scams increasingly targeting mobile users, says cybersecurity firm

A report by cybersecurity research firm WeLiveSecurity claimed that SMSSpy targeted Malaysian users exclusively when it was first identified in late 2021. It added that a campaign was launched to target customers of popular banks in Malaysia by exploiting the trend of online shopping via smartphones.

“Instead of phishing for banking credentials on websites, the threat actors have introduced Android applications into the chain of compromise, thus making sure they have access to 2FA (two-factor authentication) SMS messages the victim is likely to receive,” WeLiveSecurity said in its report.

To convince users to download the malicious app, MyCert said cybercriminals will typically pose as a person from a law enforcement agency and call victims to inform them that they have been involved in a criminal activity and that their accounts will be frozen.

ALSO READ: 75-year-old in SG lost S$1mil in China officials impersonation scam

The victim will then be told to pay a sum of money to unfreeze their accounts, and thus instructed to download the malicious app to complete the payment process.

MyCert added that cybercriminals are also deploying fake websites impersonating legitimate companies and placing ads on Facebook to persuade potential victims to visit these malicious websites, which aim to trick potential victims into both downloading the malicious Android malware and divulging their personal banking information.

According to MyCert, all eight fake websites impersonated services only available in Malaysia to target victims, namely Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy, MaidACall, MyMaidKL and Petsmore.

To avoid financial losses and disclosure of personal data, MyCert urged smartphone users to always verify an application’s permissions and the app’s author or publisher before installing it, and to never click on suspicious links sent via SMS or messaging services.

Users should also only download apps from a trusted app marketplace and ensure their device’s operating system and apps are updated regularly. They are also urged to contact Cyber999 for any enquiries or assistance related to this threat.