Security News > 2023 > February > Over 1,800 Android phishing forms for sale on cybercrime market
A threat actor named InTheBox is promoting on Russian cybercrime forums an inventory of 1,894 web injects for stealing credentials and sensitive data from banking, cryptocurrency exchange, and e-commerce apps.
Typically, mobile banking trojans check what apps are present on an infected device and pull from the command and control server the web injects corresponding to the apps of interest.
InTheBox provides up-to-date injects for hundreds of apps, researchers at threat intelligence company Cyble discovered.
InTheBox's web inject packages include app icon PNGs and an HTML file with JavaScript code that collects the victim's credentials and other sensitive data.
InTheBox has been selling web injects for Android malware since February 2020, constantly adding new pages that target more banks and financial apps.
Cyble was able to confirm that InTheBox's web injects have been used by the 'Coper' and the 'Alien' Android trojans in 2021 and September 2022, respectively, while the most recent campaign occurred in January 2023 and targeted Spanish banks.