by RSS Kai Lu  |  Nov 18, 2016  |  Filed in: Security Research

Summary

We recently found an Android banking malware masquerading as an email app that targets several large German banks. This banking malware is designed to steal login credentials from 15 different mobile banking apps for German banks. It also has the ability to resist anti-virus mobile apps, as well as hinder 30 different anti-virus programs and prevent them from launching.

Install the malware

The malware masquerades as an email app. Once installed, its icon appears in the launcher, as shown below.

 

Figure 1. Malware App Icon

 

Figure 2. Request device administrator rights

 

Like the Android malware in my previous blog (android banker malware masquerades as Flash Player targeting large banks), this malware tricks the user into providing the device with administrator rights. The fake email icon (the malware app) is then hidden from the launcher, but the malware remains active in the background.

The permissions available to this malware app are shown below.

Figure 3. Permissions of the malware

As you can see, it now owns some dangerous permissions, such as “directly call phone number,,”send SMS messages,” “receive text messages (SMS),” etc.

How the malware works

Here is a detailed technical analysis on how the malware works. The following is the key snippet code used when the malware starts launching.

Using the above code, the malware starts three services (GPService2, FDService and AdminRightsService) and hides its icon. These services continue to run in the background.

Next, we analyze three services run by this malware.

 

1. GPService2 Service

This service runs in the background and monitors all running processes on the device, and also attacks the targeted banks. It prompts the user with a customized screen overlay that resembles the legitimate banking app when that app is launched. It includes a different customized login screen for each bank. Additionally, this monitoring service also tries to hinder some anti-virus mobile apps and service utilities, preventing them from launching.

The following is the key code used in the implementation of GPService2.

List v3 is stored with the running process names. Following is the definition of the class com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.

From the above code, we can see that com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.a is the package name of this malware, com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.b stores the targeted banks and their payload urls, com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.c should be the targeted apps list in the future, which will be confirmed in our analysis, and com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d stores the targeted anti-virus apps.

The definition of the i.b function is shown below.

Using the above code the malware can detect when the user is launching an anti-virus app. The malware then checks to see if this anti-virus app is on the list com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d. If yes, it returns to the HOME launcher screen and then hinders the anti-virus app from launching.

Next is the definition of the this.a function.

The function is mainly used to communicate with the C2 server to request and receive the appropriate payload for each targeted bank. It uses a customized webview overlay on the top of the legitimate app. The following is the implementation of DialogCustomWeb.

2. FDService Service

This service runs in the background and monitors all running processes on the device. It also attacks the targeted app list. The targeted app list is currently empty. The author probably intends to add new targeted apps in the future. We speculate that it may also include some popular social media apps. It then prompts the user with a fake google play card screen overlay that resembles the legitimate app when that app is launched. We will continue to monitor this malware family and report if new targeted apps are added in the future.

The following is the key code in the implementation of FDService.

 

The variable com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.c is currently empty. DialogGooglePlayCard is a faked activity of the Google play card that overlays on top of the legitimate app and lures the user into submitting their credit card info.

3. AdminRightsService Service

This service requests device administrator rights when the malware is launched for the first time. Once done, this makes the app more difficult to remove.

Stealing info from victims and getting commands from C&C

After the malware is installed, it collects information about the device, sends it to its C&C server, and waits for the server to respond with new commands to carry out.

The following code snippet is used to parse the server response and execute new commands.

com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.b.ap is "Server response: ".
com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.b.af is "OK".
com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.b.ag is "command".
com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.b.ah is "params".
com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.b.ai is "timestamp".

 

The class APIHandlerFactory is used to handle the commands received from the C2 server.

 

@Keep public static a invoke_getHnd(String arg1) {
        n v0_2;
        if(arg1.contains(b.h)) {
            com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.i v0 = new com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.i();
        }
        else if(arg1.contains(b.o)) {
            l v0_1 = new l();
        }
        else if(arg1.contains(b.j)) {
            v0_2 = new n();
        }
        else if(arg1.contains(b.i)) {
            p v0_3 = new p();
        }
        else if(arg1.contains(b.p)) {
            d v0_4 = new d();
        }
        else if(arg1.contains(b.G)) {
            com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.b v0_5 = new com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.b();
        }
        else if(arg1.contains(b.q)) {
            com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.c v0_6 = new com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.c();
        }
        else if(arg1.contains(b.r)) {
            r v0_7 = new r();
        }
        else if(arg1.contains(b.s)) {
            q v0_8 = new q();
        }
        else if(arg1.contains(b.t)) {
            s v0_9 = new s();
        }
        else if(arg1.contains(b.u)) {
            o v0_10 = new o();
        }
        else if(arg1.equals(b.v)) {
            h v0_11 = new h();
        }
        else if(arg1.equals(b.w)) {
            g v0_12 = new g();
        }
        else if(arg1.equals(b.x)) {
            com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.a v0_13 = new com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.a();
        }
        else if(arg1.equals(b.l)) {
            j v0_14 = new j();
        }
        else if(arg1.equals(b.m)) {
            m v0_15 = new m();
        }
        else if(arg1.equals(b.y)) {
            k v0_16 = new k();
        }
        else {
            a v0_17 = null;
        }

        return ((a)v0_2);
    }
}

 

The malware can receive the following commands from the C2 server.

rent&&&: start intercepting all incoming SMS messages;
sms_stop&&&: stop intercepting incoming SMS messages;
sent&&&: send a text message;
ussd&&&: send a USSD request;
delivery&&&: send SMS messages to all contact list numbers;
api_server: change the address of the command and C2 server;
Appmass: send mass text messages
windowStop: add a specified app to the exclusion list so that when the app is launched, the phishing screen is not displayed;
windowStart: delete a specified app from the exclusion list;
windowsnew: download an updated targeted apps list from C2 server;
updateInfo: send information collected from device to C2 server;
freedialog: display a templated-based dialog using Webview;
freedialogdisable: cancel the display of the Webview dialog;
adminPhone: change the phone number used to send SMS messages
killStart: set a password for screenlock;
killStop: clear the password from screenlock;
notification: display a notification with the received parameters.

 

The device info, which is collected and sent to the C&C server, includes the device IMEI, the ISO country code, its Android build version, the device model, and the phone number. The traffic is shown below. The malware communicates with the C2 server via HTTPS. Following are the decrypted request and response packets.

The version info may be the creation date of the malware app, which is 11/06/16.

The malware app can also collect the installed app list and send it to C2.

Next, we see how to execute the command ‘killStart’ to set a new password for the screenlock.

The function t.a is used to reset a new password for screenlock. When the malware receives the command “killStart” from C2 server, it sets the password as 9991. Additionally, we also found other code that called the function t.a and set the password to 8320.

Target large bank apps in Germany

We found that there are 15 banking apps in the targeted app list, as shown below.

It is entirely possible that additional banks or other organizations could be added in future releases of this malware.

Once this malicious app is installed and device administrator rights are granted, when the user first launches a targeted banking app the malicious app sends a request via HTTPS to its C2 server to get the payload. The C2 server then responds with a fake customized login webpage, and the malicious app displays this fake customized login screen overlay on top of the legitimate banking app to collect entered banking credentials.

There is a different customized login screen for each bank targeted by this malware.

Stealing authentication information

We will now analyze the process used to steal authentication information through a targeted bank app overlay. This process is identical for any of the overlays the malware inserts for any of the targeted banks.

The following shows the traffic captured when the malware downloads the fake bank payload from its C2 server. The C2 server provides a customized login screen that is used as an overlay on top of the legitimate app.

Once the user submits the authentication information, the malware sends the info to its C2 Server. It communicates with the C2 server via HTTPS.

Resistance to anti-virus mobile apps

The malware also tries to hinder some anti-virus mobile apps and service utilities by preventing them from launching. These apps include:

com.qihoo.security                                                          
com.antivirus                                                               
com.thegoldengoodapps.phone_cleaning_virus_free.cleaner.booster             
com.antivirus.tabletcom.nqmobile.antivirus20                                
com.kms.free                                                                
com.drweb                                                                   
com.trustlook.antivirus                                                      
com.eset.ems2.gp                                                            
com.eset.ems.gp                                                             
com.symantec.mobilesecurity                                                  
com.duapps.antivirus                                                        
com.piriform.ccleaner                                                       
com.cleanmaster.mguard                                                      
com.cleanmaster.security                                                    
com.sonyericsson.mtp.extension.factoryreset                                 
com.anhlt.antiviruspro                                                      
com.cleanmaster.sdk                                                          
com.qihoo.security.lite                                                     
oem.antivirus                                                               
com.netqin.antivirus                                                         
droiddudes.best.anitvirus                                                   
com.bitdefender.antivirus                                                   
com.dianxinos.optimizer.duplay                                               
com.cleanmaster.mguard_x8                                                   
com.womboidsystems.antivirus.security.android                               
com.nqmobile.antivirus20.clarobr                                            
com.referplish.VirusRemovalForAndroid                                       
com.cleanmaster.boost                                                       
com.zrgiu.antivirus                                                         
avg.antivirus    

 

How to remove the malware

First, the user can disable the malware’s device administrator rights in Settings -> Security -> Device administrators -> Device Admin -> Deactivate.

Then the user can uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’.

Solution

The malware sample is detected by Fortinet Antivirus signature Android/Banker.GT!tr.spy.

The traffic submitting the stolen info to C&C server can be detected by Fortinet IPS signature Android.Banker.German.Malware.C2.

Conclusion

This malware implements multiple malicious functionalities in a single app and takes full advantage of a successful infection. It targets 15 large German banks and displays a customized screen overlay on top of each bank’s legitimate app. It also has functionality for resistance to anti-virus mobile apps, and can hinder 30 different anti-virus programs and prevent them from launching. The attacker can control the list of legitimate apps to be targeted via C&C commands.

We will continue to monitor future activities from this malware family and ensure that an adequate security solution is developed in our products.

Appendix

Hash

SHA256:  216cde0f92e601ec0e65218f9cc13dc22bdf6cb7e46c2d2a22a7dc4488238e1b

C&C Server

polo777555lolo[.]at

polo569noso[.]at

wahamer8lol77j[.]at

 

by RSS Kai Lu  |  Nov 18, 2016  |  Filed in: Security Research

comments powered by Disqus