It is 2022 and the global society is more digital than ever before. Arguably further fostered by the recent global pandemic, more and more people are shopping online, using online applications and keeping their money in bank accounts as compared to cash. Malaysian society is no exception!

In a recent hacker news article dated April 6, 2022, it was reported that hackers have begun distributing fake shopping apps aimed at exploiting customers of eight Malaysian banks since November 2021. Given the increase in the number of Malaysians hopping onto the online shopping bandwagon; it’s no surprise hackers have found this guise quite effective. 

Essentially, these hackers are using fraudulent but legitimate-looking websites to trick their users into downloading fake shopping applications. To foster user credibility, these hackers would build sites impersonating well-established and credible Malaysian companies such as Maid4u, GrabMaid and many more. 

According to Slovak cybersecurity firm ESET, “The threat actors use these fake e-shop applications to phish for banking credentials.” They go on to add that “the apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank.” Some of these targeted banks include major Malaysian banks such as Maybank, Affin Bank, Public Bank Berhad and CIMB bank.

In a nutshell, this is how the scheme works – the websites are marketed through Facebook ads and are used to drive visitors to download the fake e-shopping applications through Google Play, but end up redirecting them to the hackers’ controlled servers. As soon as it is launched, the fake apps allow users to sign in and continue to place fake orders. Following this, users are faced with a full-on checkout process and a direct transfer option.

The apps are also designed to be able to access and transmit all SMS messages in case bank accounts are secured by two-factor authentication. ESET malware researcher Lukas Stefanko found that “users are presented with a fake FPX payment page and asked to choose their bank out of the eight Malaysian banks provided”. 

As soon as they enter their credentials, the entire purpose of the campaign is fulfilled and the hackers have access to the users’ bank credentials.

Given the scale to which this scheme has reached, impersonating trusted companies and defrauding customers of some of the most trusted banks in Malaysia, one can never know when they have fallen victim to one of these scams. This is why it is imperative that Malaysians seek the assistance of professionals equipped with the knowledge and expertise to detect such scams and prevent users from falling victim.

Our advice for the general public is to stay cautious when using the Internet for shopping and online banking. Make sure to verify and check the applications and websites is legitimate by checking thoroughly with the original websites & applications before proceeding to make any online transactions.


Condition Zebra is a leading B2B Cyber Security company, our cybersecurity team is equipped with the relevant knowledge and expertise to not only resolve but also prevent any hacking incidents from manifesting into a great loss. Do not hesitate to reach out to us to protect and secure your company’s IT Infrastructure such as Network, Server, Web & Mobile apps and others.

Learn about our online distance training:

Network Penetration Testing is suitable for participants that have prior experience in setting up, managing or securing an organization network.

Web Penetration Testing is suitable for participants that have basic programming language and prior experience in managing, developing or testing web applications.


1). Hackers distributing fake shopping apps to steal banking data of Malaysian Users, Ravie Lakshmanan (April 6, 2022)

Share this: