Job seekers are targeted in mobile phishing campaigns

Security researchers on Tuesday revealed a sophisticated mobile phishing campaign targeting job seekers to install dangerous malicious software on their phones.

expedition discovered by Zimperium zLabs targets Android mobile phones and aims to distribute a variant of the Antidote banking trojan that researchers have dubbed Applite Banker.

“The Applight Banking Trojan’s ability to steal credentials from critical applications like banking and cryptocurrencies makes this scam extremely dangerous,” said Jason Soroko, a senior fellow. SectigoA certification lifecycle management provider in Scottsdale, Ariz.

He told TechNewsWorld, “As mobile phishing continues to increase, it is crucial for individuals to be wary of unsolicited job offers and always verify the validity of links before clicking.

“Applite Banking Trojans require permissions through the phone’s accessibility features,” added James McQuigan, security awareness advocate. KnowBe4Security Awareness Training Provider in Clearwater, Fla.

“If users are not aware, they can allow cybercriminals complete control over their devices by making personal data, GPS location and other information available,” he told TechNewsWorld.

The ‘pig butcher’ strategy

In a blog on Zimperium’s website, researcher Vishnu Pratapgiri explains that attackers pose as recruiters, luring unsuspecting victims with job offers. As part of their fraudulent recruitment process, he continued, phishing campaigns trick victims into downloading a malicious application that acts as a dropper, eventually installing AppLite.

“The attackers behind these phishing campaigns have demonstrated a remarkable level of adaptability, using diverse and sophisticated social engineering techniques to target their victims,” ​​Pratapgiri wrote.

A key tactic employed by attackers is masquerading as a job recruiter or HR representative of a well-known organization, he continued. Victims are lured into responding to fraudulent emails, carefully crafted to resemble genuine job offers or requests for additional information.

“People are desperate to get a job, so when they see remote work, good pay, good benefits, they text again,” notes Steve Levy, chief talent advisor. DHI GroupTechnology-focused roles and employers in Centennial, Colo., are a career marketplace for candidates seeking to hire global technology talent.

“It started the snowball rolling,” he told TechNewsWorld. “It’s called pig butchering. Farmers will fatten up a pig little by little, so when it’s time to cook it, they’re really big and juicy.”

After initial contact, Pratapgiri explained that threat actors directed victims to download a purported CRM Android application. While appearing legitimate, this application acts as a malicious dropper, facilitating the placement of the initial payload on the victim’s device.

An example of one of the methods employed to distribute and execute AppLite malware on a victim’s mobile device. (Credit: Zimperium)

Dramatic shift in mobile attacks

Stephen Kowsky, Field CTO Slash NextA computer and network security firm in Pleasanton, Calif., noted that the AppLite campaign represents a sophisticated evolution of tactics first seen in Operation Dream Job, a global campaign conducted in 2023 by the notorious North Korean Lazarus group.

While the original Operation Dream Job used LinkedIn messages and malicious attachments to target job seekers in the defense and aerospace sectors, today’s attacks have expanded to exploiting mobile vulnerabilities through fraudulent job application pages and banking trojans, he explained.

“The dramatic shift in mobile-first attacks is evidenced by the fact that 82% of phishing sites now specifically target mobile devices, of which 76% appear to be legitimate using HTTPS,” he told TechNewsWorld.

“Threat actors have refined their social engineering techniques, moving beyond simple document-based malware to deploy sophisticated mobile banking trojans that can steal credentials and compromise personal data, demonstrating how these campaigns continue to evolve and exploit new attack areas. can adapt,” Kowsky explained

“Our internal data shows that users are four times more likely to click on malicious emails when using a mobile device compared to a desktop,” added Mika Aalto, co-founder and CEO. HawkhuntEnterprise security awareness solutions provider in Helsinki.

“Even more concerning is that mobile users tend to click on these malicious emails at a greater rate late at night or early in the morning, suggesting that people are more vulnerable to mobile attacks when their defenses are weak,” he told TechNewsWorld. “Attackers are clearly aware of this and are constantly developing their tactics to exploit these vulnerabilities.”

This new wave of cyber scams underscores the growing number of techniques used by cybercriminals to exploit job seekers who are motivated to please a potential employer, observed Soroko.

“By capitalizing on individuals’ trust in legitimate happiness job offers, attackers can infect mobile devices with sophisticated malware that targets financial data,” he said. “The use of Android devices, in particular, highlights the growing trend of mobile-specific phishing campaigns.”

“Be careful what you sideload on an Android device,” he warns.

Enterprises need protection, too

DHI’s Levy noted that attacks on job seekers are not limited to mobile phones. “I don’t think it’s just assigned to mobile phones,” he said. “We are seeing this across all social platforms. We’re seeing it on LinkedIn, Facebook, TikTok and Instagram.”

“These scams are not only common, they are very insidious,” he declared. “They prey on the mental state of job seekers.”

“I probably get three to four of these text searches a week,” he continued. “They all automatically go to my junk folder. These are the new versions of emails from Nigerian princes asking you to send them $1,000 and they’ll give you back $10 million.”

Beyond its ability to impersonate enterprise companies, AppLite can also masquerade as Chrome and TikTok apps, displaying a wide range of target vectors, including full device takeover and application access.

“The level of access granted to attackers may include corporate credentials, applications and data if the device is used by the user for remote work or access to their existing employer,” Pratapgiri wrote.

“As mobile devices become essential to business operations, securing them is critical, especially to protect against a variety of phishing attacks, including these sophisticated mobile-targeted phishing efforts,” said Patrick Ticket, vice president of security and architecture at keeper securityA password management and online storage company in Chicago.

“Organizations should implement robust mobile device management policies, ensuring that both corporate-issued and BYOD devices adhere to security standards,” he told TechNewsWorld. “Regular updates to both devices and security software will ensure that vulnerabilities are patched promptly, protecting against known threats that target mobile users.”

Aalto recommends adopting human risk management (HRM) platforms to combat the increasing sophistication of mobile phishing attacks.

“When a new attack is reported by an employee, the HRM platform learns to automatically detect future similar attacks,” he said. “By integrating HRM, organizations can create a more resilient security culture where users become active defenders against mobile phishing and smishing attacks.”