{"id":90839,"date":"2022-05-13T18:16:13","date_gmt":"2022-05-13T12:46:13","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=90839"},"modified":"2023-10-17T15:19:55","modified_gmt":"2023-10-17T09:49:55","slug":"beware-banking-trojans-using-enhanced-techniques-to-spread-malware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/beware-banking-trojans-using-enhanced-techniques-to-spread-malware\/","title":{"rendered":"Beware &#8211; Banking Trojans Using Enhanced Techniques to Spread Malware."},"content":{"rendered":"<p>In our Open-Source Threat Hunting, <a href=\"https:\/\/www.quickheal.co.in\/home-users\/quick-heal-total-security-for-android\">Quick Heal Security<\/a> Researchers encountered a <a href=\"https:\/\/blogs.quickheal.com\/beware-sova-android-banking-trojan-emerges-more-powerful-with-new-capabilities\/\">banking Trojan<\/a> named Aberebot capable of stealing sensitive information from infected devices, including financial and personal data.<\/p>\n<p>Malware authors used advanced anti-reverse engineering and obfuscation techniques to avoid detection. From our investigation, the fake malicious application requires some risky permissions, as shown in Fig 01:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-90831 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/1-300x201.png\" alt=\"\" width=\"300\" height=\"201\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/1-300x201.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/1.png 343w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Fig 01. Complex permissions sought by the malware application<\/em><\/strong><\/p>\n<p>The\u00a0malware\u00a0has\u00a0various\u00a0capabilities,\u00a0including:<\/p>\n<ul>\n<li>Collecting\u00a0contact\u00a0information.<\/li>\n<li>Intercepting\u00a0OTPs\u00a0from\u00a0the\u00a0infected\u00a0device.<\/li>\n<li>Managing the list of installed applications from the device.<\/li>\n<li>Sending SMSs to the contacts based on the commands received from the C2 server.<\/li>\n<li>Stealing credentials of social media accounts and Banking portals.<\/li>\n<li>Monitoring the victim device by leveraging the BIND_ACCESSIBILITY_SERVICE.<\/li>\n<li>Using Telegram API to communicate with the C&amp;C server hosted on a Telegram bot account.<\/li>\n<\/ul>\n<p>Last month Android security researchers went through one new banking malware named &#8220;Escobar.&#8221; This malware is the latest variant of the banking Trojans Aberebot. This malware came with some new features in its new avatar, but it is not using Telegram for c2 communication. The main agenda of this trojan is to trick users and steal sensitive information from victims.<br \/>\nThe new variant of this malware (Escobar) uses a name and icon like a legitimate app. This malicious APK has the package name <strong>&#8220;com.escobar.pablo&#8221;<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-90832 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/2-300x249.png\" alt=\"\" width=\"351\" height=\"291\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/2-300x249.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/2.png 451w\" sizes=\"(max-width: 351px) 100vw, 351px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Fig 02. Application icon<\/em><\/strong><\/p>\n<p>The operation requests some risky permissions, including:<\/p>\n<ul>\n<li>Accessibility<\/li>\n<li>Read\/\u00a0write\u00a0the\u00a0storage<\/li>\n<li>Send\u00a0SMS<\/li>\n<li>Get\u00a0Account<\/li>\n<li>Disable\u00a0Keyguard\u00a0etc.<\/li>\n<\/ul>\n<p>It also has capabilities that steal sensitive data such as contacts, SMS, call logs, and device location. Besides recording calls and audio, the malware also deletes files, sends SMS, makes calls, and takes pictures using the camera based on the commands received from the C&amp;C server from malware authors.<\/p>\n<p><strong>The Escobar malware has some new additional features.<\/strong><\/p>\n<ul>\n<li>It uses VNC Viewer to remotely control the screen of an infected device.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-90833 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/3-300x165.png\" alt=\"\" width=\"508\" height=\"280\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/3-300x165.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/3-650x357.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/3-789x433.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/3.png 1052w\" sizes=\"(max-width: 508px) 100vw, 508px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Fig 03. VNC commands used by Escobar<\/em><\/strong><\/p>\n<ul>\n<li>The malware tries to steal Google authenticator codes on the malware author&#8217;s command.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90834 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/4-300x29.png\" alt=\"\" width=\"486\" height=\"47\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/4-300x29.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/4-650x62.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/4.png 725w\" sizes=\"(max-width: 486px) 100vw, 486px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Fig 04. 2FA code stealing.<\/em><\/strong><\/p>\n<ul>\n<li>Escobar can also kill itself whenever it gets the commands from the C&amp;C server.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90835 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/5-300x106.png\" alt=\"\" width=\"467\" height=\"165\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/5-300x106.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/5.png 560w\" sizes=\"(max-width: 467px) 100vw, 467px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Fig 05. Code used to abort.<\/em><\/strong><\/p>\n<p>Banking malware also used various themes to trick the users. We have seen some applications pretending to be banking reward applications and using the legitimate Indian banking applications icon.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-90836 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/6-300x236.png\" alt=\"\" width=\"300\" height=\"236\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/6-300x236.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/6.png 311w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Fig 06. Application icon<\/em><\/strong><\/p>\n<p>The malware can steal credit\/debit card information, net banking passwords, and SMS to read\/submit one-time generated passwords on the victim\u2019s behalf.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90837 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/7-201x300.png\" alt=\"\" width=\"223\" height=\"333\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/7-201x300.png 201w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/7-262x390.png 262w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/7.png 331w\" sizes=\"(max-width: 223px) 100vw, 223px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Fig 07. Asking for card details.<\/em><\/strong><\/p>\n<p>All the data is encrypted before sending it to the C2 server. These malicious applications can execute commands on the victim\u2019s device transmitted by the malware authors like uploading SMS, call logs, etc.<br \/>\nWhen all the SMSs have been uploaded to the C2 server, the malware can also delete all the SMSs from the victim\u2019s mobile device.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-90838 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/8-300x76.png\" alt=\"\" width=\"478\" height=\"121\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/8-300x76.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/8-650x166.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/8-768x196.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/8-789x201.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/8.png 1284w\" sizes=\"(max-width: 478px) 100vw, 478px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Fig 08. Code used to delete SMS<\/em><\/strong><\/p>\n<p><b>Quick\u00a0Heal\u00a0Detection<\/b><\/p>\n<p>Quick Heal detects these malicious applications with variants of <strong>&#8220;Android.Agent\u201d<\/strong> and <strong>&#8220;Android.Banker&#8221;<\/strong> name.<\/p>\n<p><strong>Indicator of Compromises (IOCs):<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90849 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/05\/9-1-300x123.png\" alt=\"\" width=\"415\" height=\"170\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/9-1-300x123.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/05\/9-1.png 548w\" sizes=\"(max-width: 415px) 100vw, 415px\" \/><\/p>\n<p><em>One should have trusted AVs like <strong>\u201cQuick Heal Mobile Security for Android\u201d<\/strong> to mitigate such threats and protect you from downloading malicious applications on your mobile device.<\/em><\/p>\n<p><strong>CONCLUSION:<\/strong><\/p>\n<p>As illustrated above, banking malware uses new techniques to lure users by using icons of legitimate applications. These banking Trojans can cause much harm to the infected devices. These types of banking Trojans are sold by Threat actors on dark web forums and use various websites and third-party stores for spreading. Users should be aware of such fake claims and not download and install such applications from untrusted sources.<\/p>\n<p><strong>TIPS TO STAY SAFE<\/strong><\/p>\n<ul>\n<li>Download applications only from trusted sources like Google Play Store.<\/li>\n<li>Do not click on any links received through messages or any other social media platforms as they may be intentionally or inadvertently pointing to malicious sites.<\/li>\n<li>Read the pop-up messages you get from the Android system before accepting\/allowing any new permissions.<\/li>\n<li>Malware authors spoof original applications\u2019 names, icons, and developer names. So, be extremely cautious about what applications you download on your phone.<\/li>\n<li>For enhanced protection of your phone, always use a good antivirus like <a href=\"https:\/\/www.quickheal.co.in\/home-users\/quick-heal-mobile-security\">Quick Heal Mobile Security for Android<\/a>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In our Open-Source Threat Hunting, Quick Heal Security Researchers encountered a banking Trojan named Aberebot capable of stealing sensitive information from infected devices, including financial and personal data. Malware authors used advanced anti-reverse engineering and obfuscation techniques to avoid detection. From our investigation, the fake malicious application requires some risky permissions, as shown in Fig [&hellip;]<\/p>\n","protected":false},"author":76,"featured_media":90854,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,1611,1739,24],"tags":[1905,1523,1139,1457,1239,1906],"class_list":["post-90839","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-banking-trojan","category-cybersecurity","category-malware","tag-aberebot","tag-andorid","tag-banking-trojan","tag-cyber-attack","tag-cyber-security","tag-escobar"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90839"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/76"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=90839"}],"version-history":[{"count":18,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90839\/revisions"}],"predecessor-version":[{"id":91395,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90839\/revisions\/91395"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90854"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=90839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=90839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=90839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}