A threat actor named InTheBox is promoting on Russian cybercrime forums an inventory of 1,894 web injects (overlays of phishing windows) for stealing credentials and sensitive data from banking, cryptocurrency exchange, and e-commerce apps.
The overlays are compatible with various Android banking malware and mimic apps operated by major organizations used in dozens of countries on almost all continents.
Being available in such numbers and at low prices, allows cybercriminals to focus on other parts of their campaigns, development of the malware, and to widen their attack to other regions.
Typically, mobile banking trojans check what apps are present on an infected device and pull from the command and control server the web injects corresponding to the apps of interest.
When the victim launches a target app, the malware automatically loads the overlay that mimics the interface of the legitimate product.
InTheBox provides up-to-date injects for hundreds of apps, researchers at threat intelligence company Cyble discovered.