Quick Heal detects banking Trojans imitating popular social media and banking apps in India

Credit to Author: Bajrang Mane| Date: Tue, 05 Jun 2018 13:40:33 +0000

Estimated reading time: 5 minutesQuick Heal Security Labs has spotted two banking Trojan malware. These malware imitate some popular social and banking apps. While doing so, they gain access to some security permissions on the infected device which allow them to steal the user’s banking credentials. The malware are able to do this by displaying a fake window that asks for a debit/credit card number. Technical analysis of the first banking Trojan that imitates social media apps App name: Adobe Flash Player (fake) Package Name: com.note.donote MD5: ef3a283136bd24e745c43619118d4ff2 Size: 520 KB The banking Trojan masks itself with the icon of Adobe Flash Player to trick users. If installed, it asks for Device Administrator rights. If the user selects ‘Cancel’, it will keep asking for the permission until the user selects the ‘Activate’ button. Post this, it hides its icon. Fig 1. Asking for Device Admin permission After gaining the device administrator rights, the malware sends a text message to a premium rated number containing the device ID without user’s permission. Fig 2. User balance deduction and sending device info via SMS In the background, the Trojan searches for the most frequently used apps. The malware has maintained two lists. One list mostly comprises the social and browsing apps it imitates. Popular applications maintained in the first list com.whatsapp com.skype.raider com.facebook.katana com.instagram.android com.android.chrome com.twitter.android com.android.calendar jp.naver.line.android com.android.vending com.viber.voip When a user opens any of these applications, the Trojan displays a fake window asking for a debit/credit card number. Until the user provides this number, the malware does not allow access to Google Play or other apps (mentioned in the list above). Fig 3. Overlaying social and browsing apps with a window asking for a debit/credit card number Fig 4. Posting card details on a URL If the user enters the card number, the banking Trojan collects this information and sends it to a malicious server (hxxp://nikorg.com/1/) The other list comprises 60 banking and finance related apps. When a user opens any of these apps, the Trojan displays an overlay web page and does not allow the user to perform any activity until the user stops it. At the time of our analysis, the malicious server was unable to show the similar page related to the app imitated by the Trojan. However, it displayed a blank white page over the app. Fig 5. Overlaying bank application with the web page Fig 6. Apps of banks with overlaying web URLs Popular applications maintained in the second list pl.mbank (mBank PL) com.db.mm.deutschebank (Meine Bank) pl.ing.ingmobile (ING Bankieren) com.konylabs.cbplpat (Citi Handlowy ) com.paypal.android.p2pmobile (paypal) com.commbank.netbank (CommBank ) The Trojan malware also steals incoming messages which may be an OTP or any other information and sends them to the malicious server. Fig 7. Sending incoming messages to a URL   Technical analysis of the second banking Trojan that imitates banking apps App name: Update Package name: anubis.bot.myapplication MD5: cc76a822b8bd66350a78db70998650ca Size: 149kb While installing the app, it asks user to enable Google Play service. And if enabled, it hides. Once it is done, the malicious app hides its icon and if a user in-between turns off the Google Play service then it keeps on showing the message to enable the Google Play service in a loop and also restricts the user from starting any other activity on the device. Fig 8. Malicious app icon Fig 9. Repeatedly asking for Google pro service permission In the background, the malware it keeps searching the mentioned app’s name on the list. If found, it shows a notification on behalf of the particular app and shows a similar login page and steals user’s credentials. Fig 10. Creates a notification message according to the app maintained in the list of the malware At the time of analysis, the C&C server (hxxp://46.254.16.53) was not functional. So, we were unable to monitor the dynamic activity of the app. The banking Trojan uses commands to get the user’s personal information such as contacts, messages (to get the OTP), location details, etc. Fig 11. Stealing personal information’s using commands Fig 12. Names of apps of banks in India There are other apps mentioned in the list that related to banking, shopping and cryptocurrency. Some of the…
http://blogs.quickheal.com/feed/