{"id":85390,"date":"2018-01-03T12:57:59","date_gmt":"2018-01-03T07:27:59","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85390"},"modified":"2018-01-04T17:41:19","modified_gmt":"2018-01-04T12:11:19","slug":"android-banking-trojan-targets-232-apps-including-indian-banks","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/android-banking-trojan-targets-232-apps-including-indian-banks\/","title":{"rendered":"Android banking Trojan targets more than 232 apps including apps offered by Indian banks"},"content":{"rendered":"

Quick Heal Security Labs detected an Android Banking Trojan that targets more than 232 banking apps including those offered by Indian banks. The malware is known as Android.banker.A2f8a <\/strong>(Previously detected as\u00a0Android.banker.A9480).<\/p>\n

Like most other Android banking malware, even this one is designed for stealing login credentials, hijacking SMSs, uploading contact lists and SMSs on a malicious server, displaying an overlay screen (to capture details) on top of legitimate apps and carrying out other such malicious activities.<\/p>\n

Infection vector<\/strong><\/p>\n

Android.banker.A2f8a<\/strong> is being distributed through a fake Flash Player app on third-party stores. This is not surprising given that Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often targeted by attackers.<\/p>\n

Technical analysis<\/strong><\/p>\n

After installing the malicious app, it will ask the user to activate administrative rights. And even if the user denies the request or kills the process, the app will keep throwing continuous pop-ups until the user activates the admin privilege. Once this is done, the malicious app hides its icon soon after the user taps on it.<\/p>\n

 <\/p>\n

\"\"
Fig 1: Requesting to grant device administrator rights<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Fig 2: Code to hide the app icon<\/figcaption><\/figure>\n

In the background, the app carries out malicious tasks \u2013 it keeps checking the installed app on the victim\u2019s device and particularly looks for 232 apps (banking and some cryptocurrency apps).<\/p>\n

If any one of the targeted apps is found on the infected device, the app shows a fake notification on behalf of the targeted banking app. If the user clicks on the notification, they are shown a fake login screen to steal the user\u2019s confidential info like net banking login ID and password.<\/p>\n

During our analysis, we found that the malware was capable of receiving and processing the following commands from the C&C server:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Send_GO_SMS<\/td>\nSend an SMS<\/td>\n<\/tr>\n
GetSWSGO<\/td>\nCollect all SMS from the device<\/td>\n<\/tr>\n
nymBePsG0<\/td>\nUpload list of contacts to a malicious server<\/td>\n<\/tr>\n
telbookgotext<\/td>\nSend SMS to all contacts with the text from its command<\/td>\n<\/tr>\n
StartAutoPush<\/td>\nShow fake notification<\/td>\n<\/tr>\n
RequestPermissionInj<\/td>\nACCESSIBILITY Permission<\/td>\n<\/tr>\n
RequestPermissionGPS<\/td>\nGPS Permission<\/td>\n<\/tr>\n
killBot<\/td>\nSet all urls null in Shared Preferences<\/td>\n<\/tr>\n
getIP<\/td>\nUpload location to a malicious server<\/td>\n<\/tr>\n
ussd<\/td>\nSend a USSD request<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

1. Whenever the client receives the command “startAutoPush” from the server, it shows a fake notification with the targeted app\u2019s icon (title: “Urgent message!” & text: “Confirm your account”). Clicking on the notification takes the user to a fake login page as discussed earlier.<\/p>\n

 <\/p>\n

\"\"
Fig 3: Code to check the server command<\/figcaption><\/figure>\n

During the time of our analysis, the C&C server was not functional; so, we were unable to monitor the dynamic activity of the app.<\/p>\n

\"\"
Fig 4: Code to load the phishing page<\/figcaption><\/figure>\n

2. The malware can intercept all incoming and outgoing SMSs from the infected device. This enables the attackers to bypass SMS-based two-factor authentication on the victim\u2019s bank account (OTP). The malware was also able to send SMSs with a dynamically received text and number from the server’s side.<\/p>\n

3. Whenever the client receives the command “GetSWSGO<\/strong>” from the server, it collects all SMSs stored on the device and uploads them to the malicious server.<\/p>\n

\"\"
Fig 5: Code to upload SMS to server<\/figcaption><\/figure>\n

4. The malware can also set the device\u2019s ringer volume to silent in order to suppress SMS notifications:<\/p>\n

\"\"
Fig 6: Code to put the device on silent<\/figcaption><\/figure>\n

5. Whenever the client receives a command “nymBePsG0<\/strong>” from the server, it uploads the victim\u2019s contacts to the malicious server.<\/p>\n

\"\"
Fig 7: Code to upload contact to malicious server<\/figcaption><\/figure>\n

Targeted banking apps in India<\/strong><\/p>\n

The following is a list of the apps of the banks in India that are targeted by this Android Banking Trojan:<\/p>\n

    \n
  • axis.mobile (Axis Mobile)<\/li>\n
  • snapwork.hdfc (HDFC Bank MobileBanking)<\/li>\n
  • sbi.SBIFreedomPlus (SBI Anywhere Personal)<\/li>\n
  • hdfcquickbank (HDFC Bank MobileBanking LITE)<\/li>\n
  • csam.icici.bank.imobile (iMobile by ICICI Bank)<\/li>\n
  • snapwork.IDBI (IDBI Bank GO Mobile+)<\/li>\n
  • idbibank.abhay_card (Abhay by IDBI Bank Ltd)<\/li>\n
  • com.idbi (IDBI Bank GO Mobile)<\/li>\n
  • idbi.mpassbook (IDBI Bank mPassbook)<\/li>\n
  • co.bankofbaroda.mpassbook (Baroda mPassbook)<\/li>\n
  • unionbank.ecommerce.mobile.android (Union Bank Mobile Banking)<\/li>\n
  • unionbank.ecommerce.mobile.commercial.legacy (Union Bank Commercial Clients )<\/li>\n<\/ul>\n

     <\/p>\n

    \"\"
    Fig 8: Code to check installed banking apps<\/figcaption><\/figure>\n

    Targeted cryptocurrency apps<\/strong><\/p>\n

    Apart from banking apps, Android.banker.A2f8a<\/strong> also targets the following cryptocurrency apps.<\/p>\n