Researchers at security company ESET have uncovered a new strain of Android malware that can steal the login credentials of mobile banking users.
Active users of mobile banking apps should be aware of a new Android banking trojan campaign targeting customers of large banks in Australia, New Zealand and Turkey. The banking malware, detected by ESET security products as Android/Spy.Agent.SI, can steal login credentials from 20 mobile banking apps. The list of target banks includes the largest banks in each of the three target countries.
Using the stolen credentials, thieves can then log in to the victim’s account remotely and transfer money out. They can also use the malware to send them all of the SMS text messages received by the infected device, and remove them.
“This allows SMS-based two-factor authentication of fraudulent transactions to be bypassed, without raising the suspicions of the device’s owner,” says Lukáš Štefanko, ESET Malware Researcher specializing in Android malware.
The Trojan spreads by imitating a Flash Player application, with a legitimate-looking icon. After being downloaded and installed, the app requests device administrator rights, to protect itself from being easily uninstalled. After that, the malware checks if any target banking applications are installed on the device. If it finds any it loads fake login screens for each banking app from its command and control server. When the victim launches a banking app, a fake login screen then appears over the top of the legitimate app, leaving the screen locked until the victim submits their banking credentials.
It was available on several servers. These servers were registered in late January and February 2016. Interestingly, the URL paths to the malicious APK files are regenerated each hour – maybe to avoid URL detection by antivirus software.
Malicious sites hosting Android/Spy.Agent.SI
Named Android/Spy.Agent.SI, the malware presents victims with a fake version of the login screen of their banking application and locks the screen until they enter their username and password.
After downloading and installing the app, the user is requested to grant the application device administrator rights. This self-defense mechanism prevents the malware from being uninstalled from the device. The Flash Player icon is then hidden from the user’s view, but the malware remains active in the background.
After that, the malware communicates with a remote server. Communication between the client and the server is encoded by base64. First, the malware sends device information such as model type, IMEI number, language, SDK version and information about whether the device administrator is activated. This information is sent to the server every 25 seconds. The malware then gathers the package names of installed applications (including mobile banking apps) and sends them to the remote server. If any of the installed apps are targets of the malware, the server sends a full list of 49 target apps, although not all of these are directly attacked.
The malware manifests itself as an overlay, appearing over the launched banking application: this phishing activity behaves like a lock screen, which can’t be terminated without the user entering their login credentials. The malware does not verify the credibility of the data entered, instead sending them to a remote server, at which point the malicious overlay closes. The malware does not focus only on mobile banking apps, but also tries to obtain Google account credentials as well.
The malware is also said to be subject to ongoing development. While its first versions were simple, and their malicious purpose easily identifiable, the most up-to-date versions feature better obfuscation and encryption.
If a target application is launched, the malware is triggered and a fake login screen overlays the original mobile banking one, with no option to close it.
After the user fills in their personal data, the fake screen closes and the legitimate mobile banking is shown.
As mentioned earlier, all the information exchanged between the device and server is encoded, except for the stolen credentials, which are sent in plain text.
The malware can even bypass 2FA (two-factor authentication) by sending all received text messages to the server, if requested. This allows the attacker to intercept all SMS text messages from the bank and immediately remove them from the client device, so as not to attract any suspicion.
Additional details about the campaign, the malware used and – most importantly – how to remove this malicious application from devices can be found in Lukáš Štefanko’s analysis on ESET’s official IT security blog, WeLiveSecurity.com.