Fortinet computer security researchers discovered a new Android banking Trojan which can counter anti-spyware and anti-virus products.
Android Trojan Wreaks Havoc
Fortinet experts discovered a new malware family which is specially designed to steal banking information on the Android mobile platform. The Trojan works with 15 different banking apps that are available in Germany. The interesting feature is that the virus can take over control of the apps via the remote malicious C&C servers.
The malware is disguised as an email application which even has a legitimate-looking icon on the app launcher. Like other threats it encourages the user to provide it with administrative privileges. When this is done the icon is hidden from the launcher although the software remains in operation in the background.
The Android banking Trojan requests the following permission sets:
- Read phone state
- Read contacts M/li>
- Get tasks list
- Modify system settings
- Call phone numbers
- Read/write/send/receive SMS messages
- Access and change network state at will
- and many more
After successful installation the malware runs three services in the background – GPService2, FDService and AdminRightsService.
Each of them has a specific role. The GPService2 applications monitors all running processes on the victim device and attacks the hardcoded banking applications by displaying a heavily customized screen overlay that can trick the users into thinking that its a legitimate login window. The Android virus includes several different customized login screens for each target bank app and displays the appropriate one when the respective application is launched. This service is also responsible for blocking some anti-virus mobile applications and service utilities by preventing them from executing on the system.
The FDService process monitors all running processes on the victim device and also targets specific apps which might include social network clients. This application can also display a counterfeit Google Play overlay which tricks users into entering their credit card information.
AdminRightsService asks the user for privilege escalation when the malware is executed for the first time.
Upon successful installation the Trojan starts to collect personal data about the device and sends it to the remote C&C servers which also distribute the commands. With the granted privileges the malware can do a lot of damage including the following:
- Intercepting incoming and outgoing SMS messages
- Sending text messages
- Sending USSD requests
- Sending SMS messages to all contacts
- Changing the address of the C&C servers
- Modifying the app exclusion list
- Downloading and updating target apps directly from the C&C server
- Displaying a template-based dialog using Webview
- Sending harvested data to the remote C&C servers
The Android Trojan uses HTTPS to communicate with the C&C servers and in addition to everything else, it also sends information to the hackers that contains the device’s IMEI, ISO country code, Android build version, phone number and device number.
To remove the threat the users first have to strip it off the privilege escalations by navigating to the following menu Settings -> Security -> Device administrators -> Device Admin -> Deactivate.
The virus can be removed using the ADB (Android Debug Bridge) utility.
