Malaysia's national CERT has flagged an active Android banking-trojan campaign that goes after online banking users with three different disguises but the same account-takeover objective: stealing banking credentials, intercepting OTP/TAC codes and enabling unauthorised transactions. In an advisory published on 6 June 2026 (MA-1451.062026), MyCERT says the operation runs under three social-engineering brands — Delivery4U, KerjaExpress and MaxTag — that all deliver the same trojan, which it attributes to the RizalProtect / RizalVA malware family. Per the advisory, Maybank (MAE) and CIMB (Octo) users are the most consistently targeted, with several other banks and the Touch 'n Go eWallet assessed as targets.
The structure is the part worth understanding. According to MyCERT, the brand name is only the wrapper: Delivery4U leans on parcel and courier lures, KerjaExpress on job-seeker scams, and MaxTag on fake app-store or app-update prompts — three ways to reach three different victim groups, all funnelling into one banking trojan. Treating these as three separate threats is the mistake the campaign is built to encourage.
How the attack actually works
MyCERT describes a four-stage infection chain that starts with the oldest trick on mobile: a sideloaded app and a permission grant. A victim is persuaded to install a brand-lure APK from a link — not from an official store — and is then induced to grant the Android Accessibility Service. That single grant is the hinge of the whole attack; Accessibility access is what lets the malware read the screen, automate taps, and drive overlays.
From there, the advisory says the malware pulls down further stages (one disguised as a PNG image) until the full banking remote-access trojan is running. Its capabilities, as described by MyCERT, are a catalogue of account-takeover tooling: fake login overlays that harvest banking credentials, device locking via a PIN or pattern overlay, on-device cryptocurrency mining, and exfiltration of SMS, contacts, screen recordings and audio. Critically for anyone relying on SMS one-time passwords, the apps can "bypass two-factor authentication by intercepting OTP or TAC SMS messages" — meaning the second factor most Malaysian banks still lean on is in scope. The malware also suppresses caller-ID apps such as Truecaller and Whoscall, which MyCERT assesses is intended to support follow-on voice-phishing calls.
MyCERT distributes the family across variants tagged COD, New, DIS, PROMO and UP, each with a different packer and capability set — useful detail for analysts, because the packer effectively fingerprints the variant before you ever decrypt the payload. The affected platform is Android 8.0 (API 26) and above, and exposure depends on installing the APK from outside official app stores.
Not a one-off — the latest in a sustained run
The specific campaign appears freshly disclosed by MyCERT and, as of writing, has not been independently reported elsewhere, so the technical specifics rest on MyCERT's analysis. But it lands in a well-documented pattern. Independent vendor Group-IB, reporting on CraxsRAT in July 2024, described a separate Android malware campaign that primarily targeted banking organisations in Malaysia and impersonated local delivery, logistics, retail and consumer brands — the same brand-impersonation-plus-Accessibility playbook MyCERT now describes under different branding. Malaysian banks have also been responding at the platform level. The Association of Banks in Malaysia said in August 2024 that member banks, including Maybank and CIMB, had enabled malware-shielding capabilities that can detect high-risk malware scenarios such as malicious APK files and suspicious remote-monitoring access, and may warn or stop customers from banking on compromised devices.
The takeaway is that this is not an exotic new threat so much as a more modular, multi-brand iteration of one Malaysia has been fighting for years — which is precisely why the defensive advice is behavioural rather than brand-specific.
What to do now
Banking customers
Install Android apps only from official stores. Treat any parcel-tracking, job-offer, discount or "update your app" message that asks you to download an APK as hostile.
Never grant Accessibility permission to an app claiming to be a bank, courier, job platform or app-update service. That prompt is the attack.
If a device starts showing unexpected lock screens, overheating or rapid battery drain after an install, disconnect it from the network, stop all banking, and contact your bank and Cyber999.
Financial institutions
Block the C2 indicators MyCERT lists — including hosts 209.92.170.40, 142.91.101.182 and 195.160.221.203:8080 — at egress, and load the advisory's APK hashes into mobile threat-defence blocklists.
Prioritise detection for overlay attacks and OTP/TAC interception against Maybank MAE and CIMB Octo users, and brief fraud and contact-centre teams on vishing that may exploit caller-ID suppression.
Security operations
Hunt for the campaign's shared fingerprints: MyCERT cites a single operator DeviceID (22356) and a shared payload-ZIP password across variants, plus the four-stage chain that drops a stage disguised as a PNG.
Flag any APK that combines Accessibility, package-install, SMS-read and overlay permissions, and watch for on-device writes to the
app_mph_dex/classes.dexartefact path MyCERT documents. Use the full IOC and packer tables in the advisory for the complete set.
Key Takeaways
MyCERT's 6 June advisory (MA-1451.062026) describes an active Android banking-trojan campaign using three lures — Delivery4U, KerjaExpress, MaxTag — delivering one family (RizalProtect / RizalVA).
It steals banking credentials via overlays, intercepts OTP/TAC SMS to defeat 2FA, can lock the device and mine cryptocurrency, and targets Maybank MAE and CIMB Octo users most consistently.
The attack hinges on sideloading an APK and granting Accessibility on Android 8.0+; the brand is just the wrapper.
Defend behaviourally: block MyCERT's C2 and hash IOCs, hunt the shared DeviceID 22356, and flag apps combining Accessibility, SMS-read, install and overlay permissions. The specifics are MyCERT's analysis and were not independently corroborated at publication.
View author profile → · Editorial policy
