{"id":86363,"date":"2018-06-05T19:10:33","date_gmt":"2018-06-05T13:40:33","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86363"},"modified":"2018-06-08T10:46:12","modified_gmt":"2018-06-08T05:16:12","slug":"quick-heal-detects-another-banking-trojan-imitating-popular-banking-apps-india","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/quick-heal-detects-another-banking-trojan-imitating-popular-banking-apps-india\/","title":{"rendered":"Quick Heal detects banking Trojans imitating popular social media and banking apps in India"},"content":{"rendered":"
Quick Heal Security Labs has spotted two banking Trojan malware. These malware imitate some popular social and banking apps. While doing so, they gain access to some security permissions on the infected device which allow them to steal the user\u2019s banking credentials. The malware are able to do this by displaying a fake window that asks for a debit\/credit card number.<\/p>\n
Technical analysis of the first banking Trojan that imitates social media apps \n<\/strong><\/p>\n
The banking Trojan masks itself with the icon of Adobe Flash Player to trick users. If installed, it asks for Device Administrator rights. If the user selects \u2018Cancel’, it will keep asking for the permission until the user selects the ‘Activate’ button. Post this, it hides its icon.<\/p>\nFig 1. Asking for Device Admin permission<\/figcaption><\/figure>\n
After gaining the device administrator rights, the malware sends a text message to a premium rated number containing the device ID without user’s permission.<\/p>\nFig 2. User balance deduction and sending device info via SMS<\/figcaption><\/figure>\n
In the background, the Trojan searches for the most frequently used apps. The malware has maintained two lists. One list mostly comprises the social and browsing apps it imitates.<\/p>\n
Popular<\/strong> applications <\/strong>maintained in the first list<\/strong><\/p>\n\n
com.whatsapp<\/li>\n
com.skype.raider<\/li>\n
com.facebook.katana<\/li>\n
com.instagram.android<\/li>\n
com.android.chrome<\/li>\n
com.twitter.android<\/li>\n
com.android.calendar<\/li>\n
jp.naver.line.android<\/li>\n
com.android.vending<\/li>\n
com.viber.voip<\/li>\n<\/ol>\n
When a user opens any of these applications, the Trojan displays a fake window asking for a debit\/credit card number. Until the user provides this number, the malware does not allow access to Google Play or other apps (mentioned in the list above).<\/p>\nFig 3. Overlaying social and browsing apps with a window asking for a debit\/credit card number<\/figcaption><\/figure>\nFig 4. Posting card details on a URL<\/figcaption><\/figure>\n
If the user enters the card number, the banking Trojan collects this information and sends it to a malicious server (<\/strong>h<\/strong>xx<\/strong>p:\/\/nikorg.com\/1\/<\/strong>)<\/strong><\/p>\n
The other list comprises 60 banking and finance related apps. When a user opens any of these apps, the Trojan displays an overlay web page and does not allow the user to perform any activity until the user stops it.<\/p>\n
At the time of our analysis, the malicious server was unable to show the similar page related to the app imitated by the Trojan. However, it displayed a blank white page over the app.<\/p>\nFig 5. Overlaying bank application with the web page<\/figcaption><\/figure>\nFig 6. Apps of banks with overlaying web URLs<\/figcaption><\/figure>\n
Popular<\/strong> applications <\/strong>maintained in the second list<\/strong><\/p>\n\n
pl.mbank (mBank PL)<\/li>\n
com.db.mm.deutschebank (Meine Bank)<\/li>\n
pl.ing.ingmobile (ING Bankieren)<\/li>\n
com.konylabs.cbplpat (Citi Handlowy )<\/li>\n
com.paypal.android.p2pmobile (paypal)<\/li>\n
com.commbank.netbank (CommBank )<\/li>\n<\/ol>\n
The Trojan malware also steals incoming messages which may be an OTP or any other information and sends them to the malicious server.<\/p>\nFig 7. Sending incoming messages to a URL<\/figcaption><\/figure>\n
<\/p>\n
Technical analysis of the second banking Trojan that imitates banking apps<\/strong><\/p>\n
While installing the app, it asks user to enable Google Play service. And if enabled, it hides. Once it is done, the malicious app hides its icon and if a user in-between turns off the Google Play service then it keeps on showing the message to enable the Google Play service in a loop and also restricts the user from starting any other activity on the device.<\/p>\nFig 8. Malicious app icon<\/figcaption><\/figure>\nFig 9. Repeatedly asking for Google pro service permission<\/figcaption><\/figure>\n
In the background, the malware it keeps searching the mentioned app\u2019s name on the list. If found, it shows a notification on behalf of the particular app and shows a similar login page and steals user\u2019s credentials.<\/p>\nFig 10. Creates a notification message according to the app maintained in the list of the malware<\/figcaption><\/figure>\n
At the time of analysis, the C&C server (hxxp:\/\/46.254.16.53)<\/strong> was not functional. So, we were unable to monitor the dynamic activity of the app.<\/p>\n
The banking Trojan uses commands to get the user’s personal information such as contacts, messages (to get the OTP), location details, etc.<\/p>\nFig 11. Stealing personal information’s using commands<\/figcaption><\/figure>\nFig 12. Names of apps of banks in India<\/figcaption><\/figure>\n
There are other apps mentioned in the list that related to banking, shopping and cryptocurrency.<\/p>\n
Some of the famous Indian banking applications are:<\/strong><\/p>\n\n
com.unionbank.ecommerce.mobile.android (Union Bank Mobile)<\/li>\n
com.axis.mobile (Axis Bank)<\/li>\n
hdfcbank.hdfcquickbank (HDFC Bank MobileBanking LITE)<\/li>\n<\/ol>\n
One unique activity performed by this app is that it checks whether a user’s Google Play protection service is ON or OFF. Accordingly, it sends information to the malicious server.<\/p>\nFig 13. Checking for Google Play Protection<\/figcaption><\/figure>\n
![\"\"](\"https:\/\/blogs_admin.seqrite.com\/wp-content\/uploads\/2018\/06\/Asking_for_Device_Admin_permission-169x300.png\")
![\"\"](\"https:\/\/blogs_admin.seqrite.com\/wp-content\/uploads\/2018\/06\/User_balance_deduction_and_sending_device_info_through_sms-294x300.png\")
![\"\"](\"https:\/\/blogs_admin.seqrite.com\/wp-content\/uploads\/2018\/06\/Overlaying_social_and_browsing_application_with_card_payment_activity-296x300.png\")
![\"\"](\"https:\/\/blogs_admin.seqrite.com\/wp-content\/uploads\/2018\/06\/Posting_card_details_on_URL-1-300x123.png\")
![\"\"](\"https:\/\/blogs_admin.seqrite.com\/wp-content\/uploads\/2018\/06\/Overlaying_bank_application_with_web_page-300x294.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/Apps_of_banks_with_overlaying_web_URLs-650x198.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/Sending_incoming_message_to_url-650x334.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/Malicious_app_icon-324x390.png\"){kind=icon}
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/Repeatedly_asking_for_google_pro_service_permission-390x390.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/Creates_a_notification_message_according_to_the_app_maintained_in_the_list_of_the_malware-650x356.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/Stealing_personal_informations_using_command-650x294.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/Names_of_apps_of_banks_in_India-650x372.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/Checking_for_play_protection-650x75.png\")