{"id":76941,"date":"2017-08-28T01:10:26","date_gmt":"2017-08-28T08:10:26","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=76941"},"modified":"2025-05-27T20:42:02","modified_gmt":"2025-05-28T03:42:02","slug":"android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/","title":{"rendered":"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea"},"content":{"rendered":"<p>Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure them into clicking on shortened URLs. For example, the following message asks the user to click on the link to check if a private picture has been leaked:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77029\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png\" alt=\"\" width=\"480\" height=\"328\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png 480w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1-300x205.png 300w\" sizes=\"auto, (max-width: 480px) 100vw, 480px\" \/><\/p>\n<p><em>Figure <\/em><em>1<\/em><em>: <\/em><em>Text in Korean: &#8220;Why is your picture here? Click to find out.&#8221; Source: <\/em><a href=\"http:\/\/kin.naver.com\/qna\/detail.nhn?d1id=1&amp;dirId=1070402&amp;docId=280303005&amp;qb=7Iqk66+47IuxIOusuOyekA==&amp;enc=utf8&amp;section=kin&amp;rank=19&amp;search_sort=0&amp;spq=1\"><em>Naver<\/em><\/a><em>.<\/em><\/p>\n<p>Another example of this ongoing phishing campaign is the following text message:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77030\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-2.png\" alt=\"\" width=\"500\" height=\"196\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-2.png 500w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-2-300x118.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/p>\n<p><em>Figure <\/em><em>2<\/em><em>: <\/em><em>&#8220;You are in the news! Please check.&#8221; Source: <\/em><a href=\"http:\/\/kin.naver.com\/qna\/detail.nhn?d1id=1&amp;dirId=106&amp;docId=280447384&amp;qb=7Iqk66+47IuxIOusuOyekA==&amp;enc=utf8&amp;section=kin&amp;rank=13&amp;search_sort=0&amp;spq=1\"><em>Naver<\/em><\/a><em>.<\/em><\/p>\n<p>When the victim clicks on the shortened URL using an Android device, a JavaScript script on the web server checks the user agent of the browser and shows an alert message asking to update Chrome to a new version, which is in fact a malicious fake Chrome Android app:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-77031 size-medium\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-3-300x148.png\" alt=\"\" width=\"300\" height=\"148\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-3-300x148.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-3.png 665w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p><em>Figure 3: <\/em><em>Fake alert message: \u201cA new version of Chrome has been released with enhanced features. Please use it after updating.\u201d<\/em><\/p>\n<p>If the URL is accessed by any other device (such as an iPad), the web server redirects the user to a security page of Naver, a popular search engine and portal site in South Korea.<\/p>\n<p>This malware, which McAfee Labs has named Android\/MoqHao, has many capabilities:<\/p>\n<ul>\n<li>Sends phishing SMS messages to contacts listed in the infected device.<\/li>\n<li>Leaks sensitive information, such as received SMS messages, to a remote server.<\/li>\n<li>Installs Android apps provided by the control server.<\/li>\n<li>Executes remote commands from the control server and returns results.<\/li>\n<li>Attempts to gather sensitive information via a local Google phishing website.<\/li>\n<\/ul>\n<h2><strong>Technical analysis<\/strong><\/h2>\n<p>When the downloaded APK is installed by the victim\u2014who must ignore suspicious permissions requested by the app such as \u201cdirectly call phone numbers,\u201d \u201cread your contacts,\u201d or \u201cread your text messages\u201d\u2014Android\/MoqHao attempts to achieve persistence by asking every second for device administrator privileges. Once on board, a fake icon briefly appears on the home screen before is hidden by the malware:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77032\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-4.png\" alt=\"\" width=\"307\" height=\"189\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-4.png 307w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-4-300x185.png 300w\" sizes=\"auto, (max-width: 307px) 100vw, 307px\" \/><\/p>\n<p><em>Figure 4: <\/em><em>Legitimate and fake (a little bigger) Chrome icons on the home screen.<\/em><\/p>\n<p>After hiding the malicious app, Android\/MoqHao Base64 decodes bin file in the asset folder of the APK and dynamically loads the decoded DEX. Inside the loaded classes are malicious behaviors that compromise the victim\u2019s device.<\/p>\n<p>First, Android\/MoqHao dynamically registers a broadcast receiver for various system events such as new package install, screen state, SMS messages, and so on. This broadcast receiver spies on the device and sends device status information to the control server.<\/p>\n<p>Next, Android\/MoqHao connects to the first-stage remote server. The IP for second-stage control server communication is dynamically retrieved from the user profile page of Chinese search engine Baidu:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77033\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-5.png\" alt=\"\" width=\"1028\" height=\"399\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-5.png 1028w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-5-300x116.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-5-768x298.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-5-1024x397.png 1024w\" sizes=\"auto, (max-width: 1028px) 100vw, 1028px\" \/><\/p>\n<p><em>Figure 5:<\/em><em> Control (C&amp;C) server IP address and port retrieval process.<\/em><\/p>\n<p>The following Baidu user profiles are known to have control server IP and port numbers hidden in the profile description:<\/p>\n<ul>\n<li>haoxingfu88: Haoxingfu (\u201cso happy\u201d in Chinese, \u597d\u5e78\u798f)<\/li>\n<li>ceshi9875: Ceshi (\u201ctest,\u201d \u6d4b\u8bd5)<\/li>\n<li>womenhao183527: Hao (\u201cgood,\u201d \u597d)<\/li>\n<li>dajiahao188384: Dajiahao (\u201chello everyone,\u201d \u5927\u5bb6\u597d)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-77034 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-6.png\" alt=\"\" width=\"603\" height=\"245\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-6.png 603w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-6-300x122.png 300w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/a><\/p>\n<p><em>Figure 6: <\/em><em>Baidu profile pages known to store control server IP and port information.<\/em><\/p>\n<p>When connected to the second-stage server, Android\/MoqHao sends a \u201chello\u201d message containing the following device information:<\/p>\n<ul>\n<li>UUID<\/li>\n<li>Device ID (IMEI)<\/li>\n<li>Android version<\/li>\n<li>Device product name, build ID string<\/li>\n<li>Whether the device is rooted<\/li>\n<li>SIM status<\/li>\n<li>Phone number<\/li>\n<li>Registered accounts<\/li>\n<\/ul>\n<p>The following information is periodically sent to the server with message type \u201cstate\u201d after phone state changes and related events:<\/p>\n<ul>\n<li>Network operator name<\/li>\n<li>Network type (LTE, GPRS)<\/li>\n<li>MAC address<\/li>\n<li>Current battery level<\/li>\n<li>Wi-Fi signal level<\/li>\n<li>Is device admin?<\/li>\n<li>Is current package ignoring battery optimization?<\/li>\n<li>Is screen off?<\/li>\n<li>Ringer mode<\/li>\n<\/ul>\n<p>When the device receives a new SMS message, the contents and sender address are sent to the control server. If a specially formatted SMS message is received, Android\/MoqHao parses it and uses the contents for special purposes such as setting the SMS forwarding address \u201cfs\u201d field or the \u201caccount\u201d field, which are used to access the Baidu profile page and dynamically extract the control server IP address and port number.<\/p>\n<p>After Android\/MoqHao is successfully installed and has connected to the control server, the malware waits for additional commands.<\/p>\n<h2><strong>Fake updates to Korean banking apps<\/strong><\/h2>\n<p>Android\/MoqHao checks whether major Korean bank apps are installed and downloads relevant fake or Trojanized versions from the control server. We saw similar functionality in an Android banking Trojan distributed via smishing that targeted customers of Korean banks in <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/phishing-attack-replaces-android-banking-apps-with-malware\/\">June 2013<\/a> but, unlike Android\/MoqHao, the malware from 2013 carried the phishing apps inside the APK file instead of downloading them.<\/p>\n<p>After the fake or Trojanized banking apps are downloaded, an alert dialog tells the victim that the new version is available and that the app needs to be updated:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77035\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-7.png\" alt=\"\" width=\"1464\" height=\"632\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-7.png 1464w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-7-300x130.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-7-768x332.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-7-1024x442.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-7-1158x500.png 1158w\" sizes=\"auto, (max-width: 1464px) 100vw, 1464px\" \/><\/p>\n<p><em>Figure 7: <\/em><em>Alert dialog: \u201cA new version has been released. Please use after reinstallation.\u201d<\/em><\/p>\n<p>Once the malicious app is installed, it deletes the legitimate app. The malware checks for the following apps:<\/p>\n<ul>\n<li>wooribank.pib.smart<\/li>\n<li>kbstar.kbbank<\/li>\n<li>ibk.neobanking<\/li>\n<li>sc.danb.scbankapp<\/li>\n<li>shinhan.sbanking<\/li>\n<li>hanabank.ebk.channel.android.hananbank<\/li>\n<li>smart<\/li>\n<li>epost.psf.sdsi<\/li>\n<li>kftc.kjbsmb<\/li>\n<li>smg.spbs<\/li>\n<\/ul>\n<p>During our analysis of this threat, when Android\/MoqHao requests the download of a specific fake or Trojanized banking app, the control server responds with an error. Affected users in South Korea have not reported downloads or attempted installation of additional APK files. This suggest that the fake update functionality is probably not implemented or is at least not currently used by the malware authors.<\/p>\n<h2><strong>Local HTTP server serving phishing website<\/strong><\/h2>\n<p>Unlike Android banking Trojans that use WebViews to load phishing URLs or display overlay screens to obtain banking credentials, Android\/MoqHao includes <a href=\"https:\/\/github.com\/storytellersoftware\/java-httpserver\">java-httpserver<\/a> to host a phishing page that opens in the default browser once the user clicks on the fake alert message:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-77036 size-medium\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-8-300x268.png\" alt=\"\" width=\"300\" height=\"268\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-8-300x268.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-8-768x686.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-8-560x500.png 560w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-8.png 861w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p><em>Figure 8: <\/em><em>Alert message: \u201cYour Google identity is at risk. Please use it after you certify yourself.\u201d<\/em><\/p>\n<p>The phishing page asks the victim to submit name and birthday of the Google account. This is sent to the local HTTP server by POST. Then the local server sends the stolen information to the control server.<\/p>\n<h2><strong>Control server communication<\/strong><\/h2>\n<p>Android\/MoqHao communicates with the control server by opening a WebSocket and sending JSON-RPC calls back and forth. Both the malware and control server implement RPC functions of their own. Commands implemented in Android\/MoqHao:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77037\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-9.png\" alt=\"\" width=\"1025\" height=\"507\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-9.png 1025w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-9-300x148.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-9-768x380.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-9-1024x507.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-9-1011x500.png 1011w\" sizes=\"auto, (max-width: 1025px) 100vw, 1025px\" \/><em>Figure 9: <\/em><em>Client commands.<\/em><\/p>\n<p>The control server appears to implement the following RPC functions:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77038\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-10.png\" alt=\"\" width=\"1025\" height=\"234\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-10.png 1025w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-10-300x68.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-10-768x175.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-10-1024x234.png 1024w\" sizes=\"auto, (max-width: 1025px) 100vw, 1025px\" \/><em>Figure 10: <\/em><em>Server commands.<\/em><\/p>\n<h2><strong>Evolution<\/strong><\/h2>\n<p>The first version of Android\/MoqHao that we have seen appeared in January. It seems to be a test version of the payload (encoded DEX in assets folder) because:<\/p>\n<ul>\n<li>The APK file has no resources (such as the Chrome icon or specific strings).<\/li>\n<li>The package name is v3.example.com.loader.<\/li>\n<li>The label of the app is \u201cTest.\u201d<\/li>\n<\/ul>\n<p>In February an updated version included the dropper and persistence functionality. However, this also seems to be a test version of the dropper component of the malware because:<\/p>\n<ul>\n<li>The main package of the app is com.example.<\/li>\n<li>The file activity_main.xml inside the APK is the default with the string \u201cHello World!\u201d<\/li>\n<\/ul>\n<p>In March another test version used the app name \ubc14\uc774\ub7ec\uc2a4 \ud14c\uc2a4\ud2b8 (Virus Test) and some functionality (for example, startService) was implemented in a native library. The first variant of the current version, described in our analysis, appeared in May and was actively distributed during the past two months.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77039\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-11.png\" alt=\"\" width=\"897\" height=\"353\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-11.png 897w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-11-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-11-768x302.png 768w\" sizes=\"auto, (max-width: 897px) 100vw, 897px\" \/><\/p>\n<p><em>Figure 11: <\/em><em>Android\/MoqHao evolution.<\/em><\/p>\n<h2><strong>Connection with DNS tampering campaign in May 2015<\/strong><\/h2>\n<p>In May 2015 users in South Korea <a href=\"https:\/\/productforums.google.com\/forum\/#!topic\/chrome-ko\/eFE9QRLvBdM;context-place=forum\/chrome-ko\">reported<\/a> a phishing message appearing in the default web browser when they attempted to access the Internet. Blogger nopsled <a href=\"http:\/\/nopsled.tistory.com\/128\">confirmed<\/a> that users saw the notification because the routers of the victims were hacked (via DNS redirection) due to poor configuration (such as a default user ID and password). The phishing message is very similar to those used to spread Android\/MoqHao, pretending to be a new Chrome version and asking the user to update it:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77040\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-12.png\" alt=\"\" width=\"383\" height=\"228\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-12.png 383w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-12-300x179.png 300w\" sizes=\"auto, (max-width: 383px) 100vw, 383px\" \/><\/p>\n<p><em>Figure 12: Phishing message from 2015: \u201cThe latest version of chrome has been released. Please use it after update.\u201d Source: <a href=\"http:\/\/nopsled.tistory.com\/128\">nopsled<\/a>.<\/em><\/p>\n<p>The Android malware from May 2015 and Android\/MoqHao have completely different code bases but they share some similar behaviors and functionality:<\/p>\n<ul>\n<li>Extracting the control server\u2019s IP from Chinese websites (qzone and Baidu) by parsing a specific field in the HTML code.<\/li>\n<li>Using the same phishing message to trick users into installing a fake banking app.<\/li>\n<li>Using similar hidden folders in the SD card to store the downloaded fake banking apps.<\/li>\n<li>The same log messages.<\/li>\n<\/ul>\n<p>The similarities between the 2015 and 2017 phishing campaigns suggests the same cybercriminals, who have shifted from DNS redirection attacks to a smishing campaign. The attackers are still targeting Chrome and getting the control server from a dynamic webpage while changing the code base of the initial dropper component as well as the dynamically loaded payload.<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>The smishing campaign currently targeting South Korean users shows that phishing SMS messages are still a popular vector for Android malware. This fake Chrome APK distributed via SMS messages shows that Android\/MoqHao is a threat that has been in development since early this year. Similar campaigns from 2015 suggest that they are the work of an organized cybercriminal group.<\/p>\n<p>To protect yourselves from this threat, employ security software on your mobile device and do not trust applications downloaded from unknown sources. McAfee Mobile Security detects this threat as Android\/MoqHao and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit <a href=\"http:\/\/www.mcafeemobilesecurity.com\">http:\/\/www.mcafeemobilesecurity.com<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[37,214,4185],"coauthors":[3973],"class_list":["post-76941","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-android","tag-mobile-security1","tag-phishing"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-08-28T08:10:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T03:42:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"480\" \/>\n\t<meta property=\"og:image:height\" content=\"328\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea\",\"datePublished\":\"2017-08-28T08:10:26+00:00\",\"dateModified\":\"2025-05-28T03:42:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/\"},\"wordCount\":1582,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png\",\"keywords\":[\"android\",\"mobile security\",\"Phishing\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/\",\"name\":\"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png\",\"datePublished\":\"2017-08-28T08:10:26+00:00\",\"dateModified\":\"2025-05-28T03:42:02+00:00\",\"description\":\"Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea | McAfee Blog","description":"Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea | McAfee Blog","og_description":"Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-08-28T08:10:26+00:00","article_modified_time":"2025-05-28T03:42:02+00:00","og_image":[{"width":480,"height":328,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea","datePublished":"2017-08-28T08:10:26+00:00","dateModified":"2025-05-28T03:42:02+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/"},"wordCount":1582,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png","keywords":["android","mobile security","Phishing"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/","name":"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png","datePublished":"2017-08-28T08:10:26+00:00","dateModified":"2025-05-28T03:42:02+00:00","description":"Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/08\/20170823-MoqHao-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-moqhao-spreading-via-sms-phishing-south-korea\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/76941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=76941"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/76941\/revisions"}],"predecessor-version":[{"id":214516,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/76941\/revisions\/214516"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=76941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=76941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=76941"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=76941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}