Weekly Executive Summary Week Ending April, 21 2017

By Joseph Lorenz on April 24, 2017

What is it? Android Banking Trojan

What has it been dubbed? BankBot

What does it do?

Android banking malware was leaked on an underground hacking forum. The source code was leaked with detailed instructions. The Android banking trojan is used to siphon money from bank accounts of its victims. It attempts to gain administrative privileges to mobile devices to control them. It has been disguised as various programs on the Google Play Store (e.g., Google programs with play store icon).

Once the malware obtains full privileges it has the ability to hide its presence by removing the application’s icon from the home screen, while it is still active and running in the background. BankBot will remain hidden from a victim when a mobile banking or social media app is opened, a phishing overlay is used to trick victims into re-entering their login credentials or payment card details.

The Android malware is able to intercept text messages and delete them from the victim’s device – Used to bypass two-factor authentication that is implemented by banks. The Trojan has the ability to avoid Google’s security scans and has been able to reach the Google Play Store. The malware is disguised enough to avoid detection and trick Google Bouncer security scanner.

Has been used in the wild to target users of Russian Banks, and by February BankBot had been improved to target customers in other countries like the UK, Austria, Germany, Turkey.  

BankBot can steal login credentials from more than just banking applications (e.g., FB, Uber, YouTube, WhatsApp, Snapchat, Google Play Store). BankBot also has the ability to lock the user’s device in a ransomware-like behavior. Many versions of BankBot have been released over the years, but the latest two versions seen in the wild are Android.BankBot.149.origin and Android.BankBot.136.origin.

How does it do it?

Android.BankBot.149.origin when initially launched will prompt the user to grant the malware administrative privileges and deletes its icon from the home screen(making users believe that it is no longer running on their system).

android app

Source: https://vms.drweb.com/virus/?_is=2&i=14895561(Dr.Web)

There is a list of commands that the Trojan can receive from the C&C server:

  • Send SMS – to send SMS;
  • Go_P00t_request – to request administrator privileges;
  • |UssDg0= – to send a USSD request;
  • nymBePsG0 – to request the list of phone numbers from the contact list;
  • |telbookgotext= – to send SMS messages with the text from its command to the entire contact list;
  • Go_startPermis_request – to request additional permissions SEND_SMS, CALL_PHONE, READ_CONTACTS, ACCESS_FINE_LOCATION on devices with Android 6.0 and higher;
  • Go_GPSlocat_request – to get GPS coordinates;
  • state1letsgotxt – to receive an executable file containing a list of attacked banking applications;
  • |startinj= – to display phishing window WebView with content downloaded from the link specified in a command.

This version of the malware Android.BankBot.149.origin checks the infected mobile device for the presence of a list of banking applications (e.g., PayPal, YandexMoney, Wells Fargo Mobile, etc.)

Information on found matches is sent back to the C&C server, the trojan then receives a list of files to be monitored for execution. Once on of the files is launched the malware will display a WebView on top of the attacked application with a fraudulent authentication form to later gain unauthorized access to user accounts. The gathered information is finally sent back to the C2(Command & Control) server.

paypal

Source: https://vms.drweb.com/virus/?_is=2&i=14895561 (Dr.Web)

The Trojan also attempts to steal bank card information through apps like WhatsApp, Play Store, Messenger, Facebook, Uber, and many more.

After the launch of one of these applications the Trojan will display a fraudulent form that looks like one from a legitimate application.  

When a SMS arrives, the malware turns off all sounds and vibrations, sends the message to the cyber criminals, and attempts to delete the original messages from the list of incoming SMS messages to hide them from the user.

Android.BankBot.136.origin steals login credentials from online banking user accounts and money from user bank accounts. The Trojan also has the ability to lock the home screen of an infected device and deleting all user information and restoring all default settings.

android

Source: https://vms.drweb.com/virus/?_is=2&i=8939439 (Dr.Web)

The malicious application is distributed through disguised applications like Adobe Flash Player, Google Play, etc. Once launched Android.BankBot.136.origin prompts the user to give it root privileges. This is an attempt to remain on the device as long as possible and execute admin level commands. The Trojan waits for a reply from the command & control server after it has sent its POST request. The POST request contains:

  • A unique ID generated by the Trojan;
  • IMEI identifier;
  • Current system language;
  • Mobile network operator;
  • OS version;
  • Mobile device model;
  • Cell phone number.

The malware will can than receive the following commands:

  • intercept_down – start intercepting SMS messages (for devices running Android version older than 4.4);
  • intercept_down_off – stop intercepting SMS messages;
  • send_sms – send an SMS to a specified number;
  • delivery_send – send SMS messages to all contact list numbers;
  • apiserver – change the address of the command and control server;
  • appmass – send an MMS message (in the last versions of the Trojan, this function was not implemented);
  • UpdateInfo – send information about applications installed on the C&C server;
  • adminPhone – change the phone number used to send SMS messages that repeat commands;
  • kill_on – set a password on ScreenLock, turn sound off, and lock the home screen;
  • kill_off – clear the password from ScreenLock, turn soun on, and unlock the home screen;
  • upload_sms – upload incoming messages to the C&C server;
  • notification – display a notification whose content is specified in the command;
  • intercept_up – start intercepting SMS messages (for devices running Android 4.4 and higher);
  • intercept_up_off – stop intercepting messages;
  • Wipe – restore default settings (factory reset);
  • callredirect_on – enable forwarding of all incoming calls;
  • callredirect_off – disable forwarding of all incoming calls;
  • cleanON – assign the Trojan as a default SMS manager;
  • cleanOFF – assign a standard application as a default SMS manager;
  • check_manager_status – check what application is a default SMS manager;
  • domenlist – add an address of an additional C&C server;
  • browserrestart, browserappsupdate – commands TBD.

Very similarly to 149 this version of the banking Trojan monitors for a list of banking applications to be launched. When a banking app is launched that matches the list in the C&C server a fraudulent input form is displayed on top of the running application.  The full list of targeted banks can be found here.

usaa

Source: https://vms.drweb.com/virus/?_is=2&i=8939439 (Dr.Web)

Once the user enters their login credentials, the data is sent back to the cybercriminals. This version also attempts to steal bank card information by monitoring the launch of certain applications. Once an application from the list is found a phishing form is displayed prompting the user to enter their credit card information. The collected information is eventually sent back to the C&C server. The difference between this version and 149 is its ability to lock the device and to block several anti-virus programs and service utilities. The Trojan will attempt to block a list of anti-virus software to prevent being removed.  

Conclusion:

Similar banking Trojans have been observed in the wild recently like the marcher Trojan. Though leaked source code from such malicious applications can give access to a number of cyber criminals(no matter what their technical level might be). This incident is an example of how malicious actors will build on top of existing malware to avoid detection and improve on its abilities.

With Android devices still being the most used mobile devices, these attacks have the ability to affect a large number of end-users. Users should only download applications from trusted sources like the Google Play Store, and they should read the comments on each application to see what other users have said.

Sources:

https://www.bleepingcomputer.com/news/security/malware-reaches-play-store-as-google-wages-war-against-bankbot-trojan/ (BleepingComputer)

https://vms.drweb.com/search/?q=Android.BankBot (Dr.Web)

http://www.securityweek.com/source-code-bankbot-android-trojan-leaks-online (SecurityWeek)

Tags: , , ,

Related Posts