sb-as logo
Story image

Android banking Trojan stalks Google Play - again

27 Sep 2017

It’s a case of déjà vu for one particular Android banking Trojan, which has popped up again after being removed from Google Play at the start of the year.

The newest version of the BankBot Trojan was spotted in ‘Jewels Star Classic’, a knockoff of a popular gaming series Jewels Star by developers ITREEGAMER.

ESET researcher Lukas Stefanko says BankBot is a remotely-controlled Android banking Trojan that is able to harvest banking details by using fake login forms for many apps, intercept text message to bypass two-factor authentication, and it is also able to display unsolicited push notifications.

While the game functions properly, the banking malware launches when users first execute the app. It takes 20 minutes for the malicious service to be triggered.

If users click ‘OK’ on a dialogue that asks to launch Google Service, which creates a new service. The service appears to show a description taken from Google’s original terms of service.

“When the user decides to activate the service, they see a list of required permissions: Observe your actions, Retrieve window content, Turn on Explore by Touch, Turn on enhanced web accessibility and Perform gestures,” Stefanko states.

“Clicking on OK grants accessibility permissions to the malware’s own accessibility service. By granting these permissions, the user gives the malware a free hand – almost literally – to carry out any tasks it needs to continue its malicious activity.”

“In practice, after accepting the permissions, the user is briefly denied access to their screen due to ‘Google service update’ – needless to say, not initiated by Google – running in the foreground.”

The malware then mines accessibility permissions while the system appears to update. The Trojan can:

  • Allow installing apps from unknown sources
  • Install BankBot from assets and launch it
  • Activate device administrator for BankBot
  • Set BankBot as default SMS messaging app
  • Obtain permission to draw over other apps

It then attempts to steal credit card details by overlaying the genuine Google Play app with a fake form that requests victims’ credit card details. If users fall for it, attackers now have access to the data. They can then bypass two-factor SMS authentication for a user’s banking login and gain full access to accounts.

The Trojan is the first variant in its history to combine all aspects of its evolution including code obfuscation, sophisticated payload dropping and an infection method that uses Android Accessibility Service.

Stefanko says BankBot is dangerous because it is difficult for users to identify the threat, thanks to the 20-minute time delay and Google impersonation.

Researchers have alerted Google about the malicious app. Approximately 5000 users installed it before it was removed from Google Play.

ESET offers the following tips for those who download various apps from Google Play.

Checking your device for Jewels Star Classic is not enough, as the attackers frequently change up the apps misused for BankBot’s distribution. To see if your device has been infected, we recommend you go after the following indicators:

  • Presence of an app named “Google Update” (found under Settings > Application manager/Apps > Google Update)
  • Active device administrator named “System update” (found under Settings > Security > Device administrators).
  • Repeated appearance of the “Google Service” alert

To avoid downloading mobile malware, ESET suggests the following:

  • Whenever possible, favour official app stores over alternative ones. Although not flawless, Google Play does employ advanced security mechanisms, which doesn’t have to be the case with alternative stores.
  • When in doubt about installing an app, check its popularity by number of installs, ratings and content of reviews.
  • After running anything you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for intrusive permissions – even more so if accessibility-related – read them with caution and only grant them if absolutely sure of the app’s reliability.
Story image
Microsoft is most imitated brand for phishing attacks in Q3
Popular phishing tactics using the Microsoft brand used email campaigns to steal credentials of Microsoft accounts, luring victims to click on malicious links which redirect them to a fraudulent Microsoft login page. More
Story image
DDoS attacks a wake up call for complacent businesses - Imperva
When distributed denial of service attacks created mayhem around the world in August, they left many organisations scrambling to protect themselves.More
Story image
Financial institutions in APAC region to invest millions in fraud prevention
"The pandemic is creating a lot of uncertainty, but the majority of FIs in APAC recognise that an end to end fraud management platform is strategic to differentiating themselves from the highly disruptive landscape they are playing in."More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
How to secure your business against DDoS Attacks
With the upward trend of DDoS attacks this year, and an increased dependency on online channels across all industries, businesses need to be prepared, so they don’t suffer any disruption. More
Link image
How to head off a rise in DDoS attacks
Many businesses invest in costly DDoS mitigation and protection solutions, but few test them. NCC Group tests all environments and is one of only two AWS DDoS Test Partners. Claim 10% off your next DDoS service today.More