The antivirus vendor Dr. Web has discovered a new Android malware known as BankBot which is based on leaked code harvested from an underground community.
BankBot Android Malware Discovered
Security experts from the Russian specialist anti-virus vendor Dr. Web reported a new Android malware known as BankBot. According to the undergone security analysis the source code is based on a leaked virus from an underground hacking community. The discovery was made during a malware analysis of an attack campaign. This means that the virus has been used against various victims at the time of discovery.
The code is related to a previously identified banking Trojan for the Android platform that was used to steal money from bank accounts of the victims. This is done by gaining administrative privileges on the affected devices. To infect its victims the virus poses as a legitimate application. It is distributed as various apps and uses the Google Play Store icon. When the infection is complete the Trojan activates itself and allows the remote operators to issue various commands to the infected hosts. Here is a list of the possible commands:
Send SMS – to send SMS;
Go_P00t_request – to request administrator privileges;
|UssDg0= – to send a USSD request;
nymBePsG0 – to request the list of phone numbers from the contact list;
|telbookgotext= – to send SMS messages with the text from its command to the entire contact list;
Go_startPermis_request – to request additional permissions SEND_SMS, CALL_PHONE, READ_CONTACTS, ACCESS_FINE_LOCATION on devices with Android 6.0 and higher;
Go_GPSlocat_request – to get GPS coordinates;
state1letsgotxt – to receive an executable file containing a list of attacked banking applications;
|startinj= – to display phishing window WebView with content downloaded from the link specified in a command.
The Bankbot also checks for the presence of one of the following mobile banking apps:
Sberbank Online, Sberbank Business Online, Alfa-Bank, Alfa-Business, Visa QIWI Wallet, R-Connect mobile bank, Tinkoff, PayPal, WebMoney Keeper, ROSBANK Online, VTB24-Online, MTS Bank, Yandex.Money: online payments, Sberbank [email protected] PJSC SBERBANK, Privat24, Russian Standard mobile bank, UBANK – financial supermarket, UBANK – financial supermarket, Idea Bank, IKO, Bank SMS, OTP Smart, VTB Online (Ukraine), Oschad 24/7, Platinum Bank, UniCredit Mobile, UniCredit Mobile, Ukrgasbank, StarMobile, Chase Mobile, Bank of America Mobile Banking, Wells Fargo Mobile, TD International, TD Spread Trading, Akbank Direkt, Yapı Kredi Mobil Bankacılık, ÇEKSOR, JSC İŞBANK, İşCep, İşTablet.
If one of the above mentioned apps are identified on the victim device, then a notice is sent to the remote C&C servers. The Trojan then receives a filelist that contains files that need to be monitored for execution or any other type of interaction. Once this is done, the Trojan displays an overlay using WebView with a counterfeit access form. If the victim enters their credentials, they are immediately sent to the attackers. The Bankbot also tracks several of the most popular consumer apps for payment activity. The list includes the following:
WhatsApp, Google Play Store, Messenger, Facebook, WeChat, Youtube, Uber, Viber, Snapchat, Instagram, imo, Twitter.
If the user interacts with them, a similar counterfeit overlay is displayed as well.
If an SMS message arrives, BankBot automatically turns off all sounds and vibrations. It then sends the message to the remote hackers and also attempts to delete the original messages from the incoming messages. To better protect itself from installed security software, the malware is able to check for any installed anti-virus apps. The list includes the following:
Anti-virus Dr.Web Light, CM Security AppLock AntiVirus, Kaspersky Antivirus & Security, ESET Mobile Security & Antivirus, Avast Mobile Security & Antivirus, Clean Master (Boost&Antivirus), 360 Security – Antivirus, AVG AntiVirus FREE for Android, Antivirus Free – Virus Cleaner, Super Cleaner – Antivirus, AndroHelm AntiVirus Android 2017, TrustGo Antivirus & Mobile Security, Sophos Free Antivirus and Security.
The researchers suggest that all Android users use a trusted anti-virus solution on all of their devices and not to install any unknown software from sources other than the Google Play Store.