BankBot is a family of Trojan malware targeting Android devices that surfaced in the second half of 2016. The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications. Once installed, it hides itself and then tricks the user into typing his or her credentials into fake bank web pages that have been injected onto the device’s screen.
The original code of BankBot was divulged on a Russian forum in late 2016, and you can read more about that here.
Over the past few months, new strains of this infamous Android malware family have surfaced in third-party APK markets, as well as in the official Google Play store. FortiGuard Labs decided to analyze some of them, and in this report, I will discuss its evolution over the past 10 months.
In most cases, the application poses as a Flash Player or some kind of Android System tool. Upon installation, it requires a very large number of permissions that look very suspicious. Moreover, from the Manifest we can see that the application is predisposed to ask for even more permissions upon execution.
Figure 1: Permissions
In addition, the classes in the .dex files are usually named using random words that are connected in some way, as if they were picked in succession from a glossary. This is the only sort of obfuscation present in the application and it does not do a great job at it.
FIgure 2: Classes
This specific version of Bankbot has a relatively low detection rate, at around 15-20 hits on VirusTotal. This is in spite of the fact that it uses no obfuscation procedures to hide strings or functionalities.
Figure 3: VirusTotal Detections
Figure 4: Admin Request
Once installed, the application demands Device Admin privileges. In most cases, this request is accompanied by an explanation in Turkish, which suggests that Turkey is the targeted region for this malware campaign.
Once these privileges have been obtained, the application hides by deleting its icon. It then sends device information to the CC server, such as like IMEI, contacts, and SMS messages sent and received.
The application also checks to see if any apps from Turkish financial institutions has been installed on the device. If so, it then displays a webview downloaded from the server of the specific banking site spoofing-page.
Figure 5: Set WebView Injection
Figure 6: Bank Apps
While the banking apps that we checked vary from sample to sample, this campaign seems to be primarily targeting Turkish financial institutions, with some Russian exceptions. It is interesting to note that even when all of the applications are Turkish, the two apps checked in the original version of BankBot (privatbank and ru.mw) never disappear. Apparently, the authors of this campaign were over-excited with the Ctrl + C and Ctrl + V when copying and pasting code from the original malware and did not think to clean the code before repurposing it.
In fact, the code of this sample is very much similar to the code leaked in December 2016, with very few modifications. The two biggest and most evident differences are: Firstly, the injection technique supports more than the two test applications of the published tutorial. And second, it performs a check on all outgoing calls, comparing the number to a hardcoded list of numbers.
Figure 7: Telephone Number List
After a quick web search, it was easy to determine that all of these phone numbers it is searching for are help-lines connected to a number of Turkish financial institutions. The author of the malware made sure to hardcode multiple ways in which a number could be formatted (with and without country code, and with and without multiple leading zeros).
Figure 8: Numbers Format
If the number called by the victim corresponds to any number on the list, the application shuts down the call immediately by calling setResultData(null) on the broadcastReceiver.
Figure 9: Exit Call
The BankBot family has never been famous for having advanced code. These new campaigns that resurface from time to time tend to confirm that trend. However, this is not the problem with this malware. The ease with which anyone can obtain and modify it to create an attack is the main reason why this family remains a real threat.
The samples analyzed for this blogpost ranged from 3 months to less than a week old, showing that this malware family is still very much active and alive.
The CC servers used by this version of Bankbot are not obfuscated, and many of them were taken down merely days after being set up. However, it seems that nearly every month a new version of this campaign hits some new country. While it does not last long, it invariably creates new victims. Over the past few months, we have detected more and more obfuscated versions of BankBot lurking in third-party APK stores as well as in the official Google Play store.
Our customers are protected from this threat: Fortinet detects this malware as Android/Bankbot.HH!tr and Android/Bankbot.AA!tr.
FortiGuard Labs has been monitoring this family since its first appearances in 2016, and will continue to track it and share its findings as new details come to light.
-= FortiGuard Lion Team =-
Targeted Bank apps list
hXXp://b1k51 dot gdn
hXXp://b1j3aas dot life
hXXp://wechaatt dot gdn
hXXp://10as05 dot gdn
hXXp://ch0ck4 dot life
hXXp://fatur1s dot life
hXXp://b5k31 dot gdn
hXXp://erd0 dot gdn
hXXp://b1v2a5 dot gdn
hXXp://b1502b dot gdn
hXXp://elsssee dot gdn
hXXp://kvp41 dot life
hXXp://servertestapi dot ltd
hXXp://taxii dot gdn
hXXp://p0w3r dot gdn
hXXp://4r3a dot gdn
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.