The threat actors are targeting Australian banks and digital currency wallets. This new version seems to target hiring sites’ mobile apps. It comes with dynamic loading of webviews. It can receive a command to create a webview targeting specific domains, while fetching the necessary injections from a remote server. It also appears to be targeting credentials used on the official Australian government’s web portal.
During the activation cycle, the malware now asks the user to update their credit card information without immediately showing a panel for the user to provide the information. Instead, it will wait for the user to do it and — leveraging the Android Accessibility API — will harvest it.