by RSS Kai Lu  |  Nov 01, 2016  |  Filed in: Security Research

Active users of mobile banking apps should be aware of a new Android banking malware campaign targeting customers of large banks in the United States, Germany, France, Australia, Turkey, Poland, and Austria. This banking malware can steal login credentials from 94 different mobile banking apps. Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication. Additionally, it also contains modules to target some popular social media apps.

Install the malware

The malware masquerades as a Flash Player app. Once installed, its icon is shown in the launcher as shown below.

Figure 1: Malware App Icon

Figure 2: Request device administrator rights via faking google play service

When the user clicks the Flash Player icon and launches the app, the user is tricked into granting device administrator rights to the app through a fake google play service. Once enabled, this self-defense mechanism prevents the malware from being uninstalled from the device. The app displays a screen overlay on top of any other apps. If the user clicks the ‘CANCEL’ button, the view is closed, and then restarts. This way it is always displayed on top of the screen. Once the user clicks the ‘ACTIVATE’ button to remove the request, the malware is granted full device administrator rights. The Flash Player icon is then hidden from the launcher, but the malware remains active in the background.

Figure 3: Malware App Icon is hidden

Figure 4: Device administrator rights are granted

The permissions now controlled by this malware app are shown below.

 

Figure 5: Permissions of the malware

As you can see, it now owns some dangerous permissions, such as “send SMS messages,” “receive text messages (SMS),” etc.

Steal info from the victim & get commands from C&C

After the malware is installed it collects information about the device, sends it to its C&C server, and waits for the server to respond with new commands to carry out.

The following code snippet is used to parse the server response and execute new commands. The functionalities of the new commands include sending SMS messages, uploading SMS messages, intercepting SMS messages, updating the collected device info, performing a factory reset, etc.

 public final void ˊ(ǃ arg7) {

        v0_21;

        v0_3;

        try {

            ו.ﺒ = 0;

            .ˊ(this.getClass(), "[MainSrv][getHttpResponse]:" + arg7.Ȉ);

            if(arg7.Ȉ.equals("OK")) {

                return;

            }

 

            try {

                JSONObject v0_2 = new JSONObject(arg7.Ȉ);

                JSONObject v7 = v0_2;

                String v4 = v0_2.getString("command");

                String v3 = v4;

                if(v4.equals("intercept_down")) {

                    v0_3 = new ();

                }

                else if(v4.equals("intercept_down_off")) {

                    v0_4 = new ();

                }

                else if(v4.equals("send_sms")) {

                    v0_5 = new ();

                }

                else if(v4.equals("delivery_send")) {

                    v0_6 = new ();

                }

                else if(v4.contains("apiserver")) {

                    ˡ v0_7 = new ˡ();

                }

                else if(v4.contains("appmass")) {

                    ˮ v0_8 = new ˮ();

                }

                else if(v4.equals("UpdateInfo")) {

                    v0_9 = new ();

                }

                else if(v4.equals("Wipe")) {

                    v0_10 = new ();

                }

                else if(v4.equals("adminPhone")) {

                    ˇ v0_11 = new ˇ();

                }

                else if(v4.equals("kill_on")) {

                    v4_1 = new ();

                    v4_1.ܝ = "8320";

                    v0_12 = v4_1;

                }

                else if(v4.equals("kill_off")) {

                    v0_13 = new ();

                }

                else if(v4.equals("upload_sms")) {

                    v0_14 = new ();

                }

                else if(v4.equals("notification")) {

                    v0_15 = new ();

                }

                else if(v4.equals("intercept_up")) {

                    v0_16 = new ();

                }

                else if(v4.equals("intercept_up_off")) {

                    v0_17 = new ();

                }

                else if(v4.equals("cleanON")) {

                    v0_18 = new ();

                }

                else if(v4.equals("cleanOFF")) {

                    v0_19 = new ();

                }

                else if(v4.equals("check_manager_status")) {

                    ۥ v0_20 = new ۥ();

                }

                else if(v4.equals("domenlist")) {

                    v0_21 = new ();

                }

                else if(v4.equals("browserrestart")) {

                    v0_22 = new ();

                }

                else if(v4.equals("browserappsupdate")) {

                    v0_23 = new ();

                }

                else {

                    v0_3 = null;

                }

                v4_2 = (()v0_21);

                String v5 = null;

                if(v7.has("params")) {

                    v5 = v7.getString("params");

                }

                if(v4_2 != null) {

                    ((ˆ)v4_2).ˊ(this., v3, v5);

                }

            }

The device info which is collected and sent to the C&C server includes the device IMEI, the ISO country code, its Android build version, the device model, the phone number, installed applications, and more. The traffic is shown below.

Figure 6: Send collected device info to C&C server

The following code snippet is used to send SMS messages.

Figure 7: Send SMS message

The following code snippet is used to reset the device to factory settings. This could lead to a huge data loss for the victim.

Figure 8: Perform a factory reset

The following code snippet is used to read SMS messages from the SMS inbox and send them to the C&C server.

Figure 9: Read SMS messages from SMS inbox

 

Figure 10: Send SMS message to C&C server

Targeting popular social media apps

The following json stores the list of targeted social media apps. It includes the Google play store, Calculator, Facebook, Facebook Messenger, Whatsapp, Skype, Snapchat, Twitter, Viber, Instagram, and Snapchat.

Figure 11: The native targeted app list

When the user lunches one of the above apps, the malware generates a screen overlay on top of the good app. The screen overlay looks like Figure 12.

 

Figure 12: One screen overlay generated by malware

Figure 13: Another screen overlay generated by malware

 

As you can see, it lures the user to submit credit card info. The following screenshots show what is displayed by the malware when the targeted apps are run.

 

Next, we will analyze the process used to steal credit card information through the Skype app overlay.

Figure 14: A screen overlay on Skype app

Figure 15: The legitimate Skype app and malware app

From two figures above we can see that two apps are launched. One is Skype, and the other is the malware.

Next, we input the card info (card number, expiration date, CCV), as shown in Figure 16. The malware is able to verify if the card number submitted by the user is valid. If it is, the malware pops up a fake “Verified by Visa” or “MasterCard SecureCode” view. This trick is designed to capture the victim’s full card details and “Visa SecureCode” or “MasterCard SecureCode”.

Figure 16: Input credit card info

Figure 17: A screen overlay to input the Visa Securecode

Then the victim’s credit card info is sent to the C&C server, as shown in Figure 18.

Figure 18: Sending credit card info to C&C server

The decoded data is shown below.

The following code snippet is used to handle the json object which stores the stolen credit card info.

Figure 19: The json object related to credit card info

Target large bank apps

We found that there are 94 banking apps in the targeted app list, as listed below.

[ {"to":"at.bawag.mbanking","body":"l/at/at.bawag.mbanking.php"},

  {"to":"at.easybank.mbanking","body":"l/at/at.easybank.mbanking.php"},

  {"to":"at.spardat.netbanking","body":"l/at/at.spardat.netbanking.php"},

  {"to":"at.volksbank.volksbankmobile","body":"l/at/at.volksbank.volksbankmobile.php"},

  {"to":"com.bankaustria.android.olb","body":"l/at/com.bankaustria.android.olb.php"},

  {"to":"com.isis_papyrus.raiffeisen_pay_eyewdg","body":"l/at/com.isis_papyrus.raiffeisen_pay_eyewdg.php"},

  {"to":"au.com.bankwest.mobile","body":"l/au/au.com.bankwest.mobile.php"},

  {"to":"au.com.ingdirect.android","body":"l/au/au.com.ingdirect.android.php"},

  {"to":"au.com.nab.mobile","body":"l/au/au.com.nab.mobile.php"},

  {"to":"com.commbank.netbank","body":"l/au/com.commbank.netbank.php"},

  {"to":"org.banksa.bank","body":"l/au/org.banksa.bank.php"},

  {"to":"org.stgeorge.bank","body":"l/au/org.stgeorge.bank.php"},

  {"to":"org.westpac.bank","body":"l/au/org.westpac.bank.php"},

  {"to":"com.db.mm.deutschebank","body":"l/de/com.db.mm.deutschebank.php"},

  {"to":"com.ing.diba.mbbr2","body":"l/de/com.ing.diba.mbbr2.php"},

  {"to":"com.starfinanz.mobile.android.dkbpushtan","body":"l/de/com.starfinanz.mobile.android.dkbpushtan.php"},

  {"to":"com.starfinanz.smob.android.sbanking","body":"l/de/com.starfinanz.smob.android.sbanking.php"},

  {"to":"com.starfinanz.smob.android.sfinanzstatus","body":"l/de/com.starfinanz.smob.android.sfinanzstatus.php"},

  {"to":"de.adesso.mobile.android.gad","body":"l/de/de.adesso.mobile.android.gad.php"},

  {"to":"de.comdirect.android","body":"l/de/de.comdirect.android.php"},

  {"to":"de.commerzbanking.mobil","body":"l/de/de.commerzbanking.mobil.php"},

  {"to":"de.consorsbank","body":"l/de/de.consorsbank.php"},

  {"to":"de.dkb.portalapp","body":"l/de/de.dkb.portalapp.php"},

  {"to":"de.fiducia.smartphone.android.banking.vr","body":"l/de/de.fiducia.smartphone.android.banking.vr.php"},

  {"to":"de.ing_diba.kontostand","body":"l/de/de.ing_diba.kontostand.php"},

  {"to":"de.postbank.finanzassistent","body":"l/de/de.postbank.finanzassistent.php"},

  {"to":"mobile.santander.de","body":"l/de/mobile.santander.de.php"},

  {"to":"com.IngDirectAndroid","body":"l/fr/com.IngDirectAndroid.php"},

  {"to":"com.arkea.android.application.cmb","body":"l/fr/com.arkea.android.application.cmb.php"},

  {"to":"com.arkea.android.application.cmso2","body":"l/fr/com.arkea.android.application.cmso2.php"},

  {"to":"com.boursorama.android.clients","body":"l/fr/com.boursorama.android.clients.php"},

  {"to":"com.cacf.MonCACF","body":"l/fr/com.cacf.MonCACF.php"},

  {"to":"com.caisseepargne.android.mobilebanking","body":"l/fr/com.caisseepargne.android.mobilebanking.php"},

  {"to":"com.cic_prod.bad","body":"l/fr/com.cic_prod.bad.php"},

  {"to":"com.cm_prod.bad","body":"l/fr/com.cm_prod.bad.php"},

  {"to":"com.fullsix.android.labanquepostale.accountaccess","body":"l/fr/com.fullsix.android.labanquepostale.accountaccess.php"},

  {"to":"com.groupama.toujoursla","body":"l/fr/com.groupama.toujoursla.php"},

  {"to":"com.lbp.peps","body":"l/fr/com.lbp.peps.php"},

  {"to":"com.macif.mobile.application.android","body":"l/fr/com.macif.mobile.application.android.php"},

  {"to":"com.ocito.cdn.activity.creditdunord","body":"l/fr/com.ocito.cdn.activity.creditdunord.php"},

  {"to":"fr.axa.monaxa","body":"l/fr/fr.axa.monaxa.php"},

  {"to":"fr.banquepopulaire.cyberplus","body":"l/fr/fr.banquepopulaire.cyberplus.php"},

  {"to":"fr.banquepopulaire.cyberplus.pro","body":"l/fr/fr.banquepopulaire.cyberplus.pro.php"},

  {"to":"fr.creditagricole.androidapp","body":"l/fr/fr.creditagricole.androidapp.php"},

  {"to":"fr.lcl.android.customerarea","body":"l/fr/fr.lcl.android.customerarea.php"},

  {"to":"fr.lemonway.groupama","body":"l/fr/fr.lemonway.groupama.php"},

  {"to":"mobi.societegenerale.mobile.lappli","body":"l/fr/mobi.societegenerale.mobile.lappli.php"},

  {"to":"net.bnpparibas.mescomptes","body":"l/fr/net.bnpparibas.mescomptes.php"},

  {"to":"com.comarch.mobile","body":"l/pl/com.comarch.mobile.php"},

  {"to":"com.getingroup.mobilebanking","body":"l/pl/com.getingroup.mobilebanking.php"},

  {"to":"com.konylabs.cbplpat","body":"l/pl/com.konylabs.cbplpat.php"},

  {"to":"eu.eleader.mobilebanking.pekao","body":"l/pl/eu.eleader.mobilebanking.pekao.php"},

  {"to":"eu.eleader.mobilebanking.raiffeisen","body":"l/pl/eu.eleader.mobilebanking.raiffeisen.php"},

  {"to":"pl.bzwbk.bzwbk24","body":"l/pl/pl.bzwbk.bzwbk24.php"},

  {"to":"pl.bzwbk.mobile.tab.bzwbk24","body":"l/pl/pl.bzwbk.mobile.tab.bzwbk24.php"},

  {"to":"pl.eurobank","body":"l/pl/pl.eurobank.php"},

  {"to":"pl.ing.ingmobile","body":"l/pl/pl.ing.ingmobile.php"},

  {"to":"pl.mbank","body":"l/pl/pl.mbank.php"},

  {"to":"pl.pkobp.iko","body":"l/pl/pl.pkobp.iko.php"},

  {"to":"wit.android.bcpBankingApp.millenniumPL","body":"l/pl/wit.android.bcpBankingApp.millenniumPL.php"},

  {"to":"com.akbank.android.apps.akbank_direkt","body":"l/tr/com.akbank.android.apps.akbank_direkt.php"},

  {"to":"com.finansbank.mobile.cepsube","body":"l/tr/com.finansbank.mobile.cepsube.php"},

  {"to":"com.garanti.cepsubesi","body":"l/tr/com.garanti.cepsubesi.php"},

  {"to":"com.pozitron.iscep","body":"l/tr/com.pozitron.iscep.php"},

  {"to":"com.tmobtech.halkbank","body":"l/trl/com.tmobtech.halkbank.php"},

  {"to":"com.vakifbank.mobile","body":"l/tr/com.vakifbank.mobile.php"},

  {"to":"com.ykb.android","body":"l/tr/com.ykb.android.php"},

  {"to":"com.ziraat.ziraatmobil","body":"l/tr/com.ziraat.ziraatmobil.php"},

 

  //usa

  {"to":"ca.bnc.android","body":"l/usa/ca.bnc.android.php"},

  {"to":"com.americanexpress.android.acctsvcs.us","body":"l/usa/com.americanexpress.android.acctsvcs.us.php"},

  {"to":"com.chase.sig.android","body":"l/usa/com.chase.sig.android.php"},

  {"to":"com.cibc.android.mobi","body":"l/usa/com.cibc.android.mobi.php"},

  {"to":"com.citi.citimobile","body":"l/usa/com.citi.citimobile.php"},

  {"to":"com.clairmail.fth","body":"l/usa/com.clairmail.fth.php"},

  {"to":"com.coinbase.android","body":"l/usa/com.coinbase.android.php"},

  {"to":"com.creditkarma.mobile","body":"l/usa/com.creditkarma.mobile.php"},

  {"to":"com.discoverfinancial.mobile","body":"l/usa/com.discoverfinancial.mobile.php"},

  {"to":"com.fi9228.godough","body":"l/usa/com.fi9228.godough.php"},

  {"to":"com.firstpremier.mypremiercreditcard","body":"l/usa/com.firstpremier.mypremiercreditcard.php"},

  {"to":"com.infonow.bofa","body":"l/usa/com.infonow.bofa.php"},

  {"to":"com.jpm.sig.android","body":"l/usa/com.jpm.sig.android.php"},

  {"to":"com.moneybookers.skrillpayments","body":"l/usa/com.moneybookers.skrillpayments.php"},

  {"to":"com.paybybank.westernunion","body":"l/usa/com.paybybank.westernunion.php"},

  {"to":"com.paypal.android.p2pmobile","body":"l/usa/com.paypal.android.p2pmobile.php"},

  {"to":"com.pnc.ecommerce.mobile","body":"l/usa/com.pnc.ecommerce.mobile.php"},

  {"to":"com.suntrust.mobilebanking","body":"l/usa/com.suntrust.mobilebanking.php"},

  {"to":"com.tdbank","body":"l/usa/com.tdbank.php"},

  {"to":"com.td","body":"l/usa/com.td.php"},

  {"to":"com.transferwise.android","body":"l/usa/com.transferwise.android.php"},

  {"to":"com.unionbank.ecommerce.mobile.android","body":"l/usa/com.unionbank.ecommerce.mobile.android.php"},

  {"to":"com.usaa.mobile.android.usaa","body":"l/usa/com.usaa.mobile.android.usaa.php"},

  {"to":"com.usb.cps.axol.usbc","body":"l/usa/com.usb.cps.axol.usbc.php"},

  {"to":"com.wf.wellsfargomobile","body":"l/usa/com.wf.wellsfargomobile.php"},

  {"to":"me.doubledutch.rbccapitalmarkets","body":"l/usa/me.doubledutch.rbccapitalmarkets.php"}]

 

These targeted banks are from the United States, Germany, France, Australia, Turkey, Poland and Austria.

The malware also uses a screen overlay with a fake login window to lure users to submit their login credentials for the apps, and then sends them to its C&C server.

How to remove the malware

There are two methods to uninstall the malware:

First, the user can disable the device administrator rights in Settings -> Security -> Device administrators -> Google Play Service -> Deactivate and then uninstall the fake ‘Flash Player’ via Settings -> Apps -> Flash-Player-update -> Uninstall. This method is simple.

Second, some tricks can be used to disable the device administrator rights. The malware repeatedly creates a screen overlay to request device administrator rights via faking the Google play service after the user rejects the request for device administrator rights. Because the screen overlay always displays on top of all other screens, the user cannot access Settings -> Apps -> Flash-Player-update -> Uninstall. In this case, the user can uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’.

Solution

The malware sample is detected by Fortinet Antivirus signature Android/Generic.AP.2257E!tr.

The traffic submitting the stolen info to C&C server can be detected by Fortinet IPS signature Android.Banker.Malware.C2.

The domains used by the C&C server have been rated as “Phishing” by the Fortinet Web Filtering service.

Conclusion

This malware implements multiple malicious functionalities into a single app and takes full advantage of a successful infection. The attacker can control the list of legitimate apps to be targeted via C&C commands, and is also able to send and intercept SMS messages, upload SMS messages to its C&C server, reset the device to factory settings, etc.

We will continue to monitor future activities from this malware family and ensure adequate security solutions are developed in our products.

Acknowledgements

I would like to thank @jebdec and @virqdroid for sharing this malware sample.

Appendix

Hash

SHA256:                   e5df30b41b0c50594c2b77c1d5d6916a9ce925f792c563f692426c2d50aa2524

 

C&C Server

chaldear[.]com

glennuniat[.]com

 

by RSS Kai Lu  |  Nov 01, 2016  |  Filed in: Security Research