The internet is a dark and dangerous place, and it just got a little bit darker. InTheBox, a notorious threat actor, is making waves in the Russian cybercrime world. Android phishing is on boom. They are offering a massive inventory of web injects to steal credentials and sensitive data from unsuspecting victims. This latest threat is no joke. It’s imperative that everyone take a closer look at what this notorious hacker is offering.

According to researchers at threat intelligence company, Cyble, InTheBox is offering a staggering 1,894 web injects (overlays of phishing windows). These are compatible with various Android banking malware. These overlays mimic popular banking, cryptocurrency exchange, and e-commerce apps. It is in use by dozens of countries on almost all continents. This type of attack is becoming increasingly common. It’s important to be aware of the tactics that these cybercriminals use.

Mobile banking trojans have been on the rise, and InTheBox is making it easier for cybercriminals to steal your information. When the malware infects a device, it checks what apps are present and pulls the web injects corresponding to the apps of interest. When the victim launches the target app, the malware automatically loads the overlay. It tmimics the interface of the legitimate product. InTheBox provides up-to-date injects for hundreds of apps, making it easier for cybercriminals to focus on other parts of their campaigns, such as the development of the malware and expanding their attack to other regions.

Android phishing: Types of web inject packages

InTheBox is offering three different web inject packages, each targeting different malware for android phising. The packages include 814 web injects compatible with Alien, Ermac, Octopus, and MetaDroid for $6,512. 495 web injects compatible with Cerberus for $3,960, and 585 web injects compatible with Hydra for $4,680. If you don’t want to buy an entire package, InTheBox also sells web injects individually for $30 each. The shop even allows users to order custom injects for any malware. This means that no matter what Android banking trojan you’re using, InTheBox has got you covered.

The web injects by InTheBox include app icon PNGs and an HTML file with JavaScript code. It collects the victim’s credentials and other sensitive data. In most cases, the injects feature a second overlay that requests the user to enter credit card numbers, expiration dates, and CVV numbers. This information is then sent to a server controlled by the operator of the Android banking trojan. To make matters worse, InTheBox’s injects can check the validity of the credit card numbers entered by victims using the Luhn algorithm, which helps Android malware operators filter out invalid data.

InTheBox has been selling web injects for Android malware since February 2020 and has been constantly adding new pages that target more banks and financial apps. In fact, Cyble was able to confirm that InTheBox’s web injects have been used by the ‘Coper’ and the ‘Alien’ Android trojans in 2021 and September 2022, respectively. The most recent campaign occurred in January 2023 and targeted Spanish banks. This shows that InTheBox’s web injects are not only effective but also in high demand.