Mobile bankers were distributed on Google Play under the guise of weather applications
Specialists from our virus lab found two modifications of the Trojan.Android/Spy.Banker banking trojan on Google Play. Troyan spread under the guise of legitimate applications with the weather forecast.
The first version, a Trojan imitating the Good Weather app, appeared in the store on February 4 and was deleted two days after an ESET request. The program was aimed at 22 banking applications used in Turkey. In two days, the fake application downloaded up to 5,000 users.
The second version appeared on February 14 and was distributed until the 20th inclusive, masquerading as World Weather. The functionality of the trojan has not changed in comparison with the first modification, but now the program has been redirected to 69 applications of British, Austrian, German and Turkish banks. After the ESET request, the malicious applications were removed, and on February 23 the hosting company disconnected the command C & C server.
')
Functional
During installation, the Trojan receives permission to intercept text messages. After that, he asks for administrator rights and gets access to change the screen lock password and screen lock function. Having obtained these functions, the trojan is ready for malicious activity.
Troyan copies the main functionality of a legitimate application - it adds a weather widget to the main screen. In parallel, he in the background sends the device information to the command C & C server.
The program has a notification function, which is used after establishing communication with the command C & C server. The trojan can send fake notifications to the infected devices - “important messages” of the corresponding bank, prompting the user to launch one of the targeted banking applications.
When the user launches the target application, the trojan displays a fake login and password input screen, and then transfers the entered data to the command C & C server. The text message interception feature allows you to bypass two-factor SMS-based authentication.
We assume that the screen lock function is used in the next stage, when attackers try to cash out funds from a compromised account - to hide the theft from the victim.
Open source
Further exploration of the Trojan led to some interesting discoveries. As it turned out, both versions are written on the basis of open source code, which was published on the web. “Written from scratch” (according to the authors) the Android bot code template has been available on the Russian-language forum since December 19, 2016.
We found out that Doctor Web analyzed the earlier version of this trojan - our products will detect it since December 26, 2016 as Android / Spy.Banker.HH. But the early modification is not directly related to the versions that we found on the Google Play service (despite being detected with the same name). We confirmed this by accessing the control panel of the command server (see below) and collecting information about versions of the Trojan that infected more than 2,800 devices.
Interestingly, the command server, operating since February 2, 2017, is accessible to all having a URL, without authorization.
Prevention
Just in case, we list the basic precautions to prevent infection with a mobile banker.
Google Play uses security mechanisms that prevent malware from entering the store. Not always successful, but on third-party sites such options are not provided in principle. Download applications from the official store whenever possible.
When downloading the application and after starting, pay attention to requests for rights and permissions. If the request is not directly related to the functionality, refuse to install or, at least, read the user reviews.
Use a reliable antivirus product for Android.
If the malicious application is already installed, you can use a mobile antivirus to clean it or manually remove the malicious application by first disabling administrator rights.
Detection by ESET products :
The first version, a Trojan imitating the Good Weather app, appeared in the store on February 4 and was deleted two days after an ESET request. The program was aimed at 22 banking applications used in Turkey. In two days, the fake application downloaded up to 5,000 users.
The second version appeared on February 14 and was distributed until the 20th inclusive, masquerading as World Weather. The functionality of the trojan has not changed in comparison with the first modification, but now the program has been redirected to 69 applications of British, Austrian, German and Turkish banks. After the ESET request, the malicious applications were removed, and on February 23 the hosting company disconnected the command C & C server.
')
Functional
During installation, the Trojan receives permission to intercept text messages. After that, he asks for administrator rights and gets access to change the screen lock password and screen lock function. Having obtained these functions, the trojan is ready for malicious activity.
Troyan copies the main functionality of a legitimate application - it adds a weather widget to the main screen. In parallel, he in the background sends the device information to the command C & C server.
The program has a notification function, which is used after establishing communication with the command C & C server. The trojan can send fake notifications to the infected devices - “important messages” of the corresponding bank, prompting the user to launch one of the targeted banking applications.
When the user launches the target application, the trojan displays a fake login and password input screen, and then transfers the entered data to the command C & C server. The text message interception feature allows you to bypass two-factor SMS-based authentication.
We assume that the screen lock function is used in the next stage, when attackers try to cash out funds from a compromised account - to hide the theft from the victim.
Open source
Further exploration of the Trojan led to some interesting discoveries. As it turned out, both versions are written on the basis of open source code, which was published on the web. “Written from scratch” (according to the authors) the Android bot code template has been available on the Russian-language forum since December 19, 2016.
We found out that Doctor Web analyzed the earlier version of this trojan - our products will detect it since December 26, 2016 as Android / Spy.Banker.HH. But the early modification is not directly related to the versions that we found on the Google Play service (despite being detected with the same name). We confirmed this by accessing the control panel of the command server (see below) and collecting information about versions of the Trojan that infected more than 2,800 devices.
Interestingly, the command server, operating since February 2, 2017, is accessible to all having a URL, without authorization.
Prevention
Just in case, we list the basic precautions to prevent infection with a mobile banker.
Google Play uses security mechanisms that prevent malware from entering the store. Not always successful, but on third-party sites such options are not provided in principle. Download applications from the official store whenever possible.
When downloading the application and after starting, pay attention to requests for rights and permissions. If the request is not directly related to the functionality, refuse to install or, at least, read the user reviews.
Use a reliable antivirus product for Android.
If the malicious application is already installed, you can use a mobile antivirus to clean it or manually remove the malicious application by first disabling administrator rights.
Detection by ESET products :
- Android / Spy.Banker.HH
- Android / Spy.Banker.HU
- Android / Spy.Banker.HW
Source: https://habr.com/ru/post/323068/
All Articles