sb-nz logo
Story image

Android banking Trojan stalks Google Play - again

27 Sep 2017

It’s a case of déjà vu for one particular Android banking Trojan, which has popped up again after being removed from Google Play at the start of the year.

The newest version of the BankBot Trojan was spotted in ‘Jewels Star Classic’, a knockoff of a popular gaming series Jewels Star by developers ITREEGAMER.

ESET researcher Lukas Stefanko says BankBot is a remotely-controlled Android banking Trojan that is able to harvest banking details by using fake login forms for many apps, intercept text message to bypass two-factor authentication, and it is also able to display unsolicited push notifications.

While the game functions properly, the banking malware launches when users first execute the app. It takes 20 minutes for the malicious service to be triggered.

If users click ‘OK’ on a dialogue that asks to launch Google Service, which creates a new service. The service appears to show a description taken from Google’s original terms of service.

“When the user decides to activate the service, they see a list of required permissions: Observe your actions, Retrieve window content, Turn on Explore by Touch, Turn on enhanced web accessibility and Perform gestures,” Stefanko states.

“Clicking on OK grants accessibility permissions to the malware’s own accessibility service. By granting these permissions, the user gives the malware a free hand – almost literally – to carry out any tasks it needs to continue its malicious activity.”

“In practice, after accepting the permissions, the user is briefly denied access to their screen due to ‘Google service update’ – needless to say, not initiated by Google – running in the foreground.”

The malware then mines accessibility permissions while the system appears to update. The Trojan can:

  • Allow installing apps from unknown sources
  • Install BankBot from assets and launch it
  • Activate device administrator for BankBot
  • Set BankBot as default SMS messaging app
  • Obtain permission to draw over other apps

It then attempts to steal credit card details by overlaying the genuine Google Play app with a fake form that requests victims’ credit card details. If users fall for it, attackers now have access to the data. They can then bypass two-factor SMS authentication for a user’s banking login and gain full access to accounts.

The Trojan is the first variant in its history to combine all aspects of its evolution including code obfuscation, sophisticated payload dropping and an infection method that uses Android Accessibility Service.

Stefanko says BankBot is dangerous because it is difficult for users to identify the threat, thanks to the 20-minute time delay and Google impersonation.

Researchers have alerted Google about the malicious app. Approximately 5000 users installed it before it was removed from Google Play.

ESET offers the following tips for those who download various apps from Google Play.

Checking your device for Jewels Star Classic is not enough, as the attackers frequently change up the apps misused for BankBot’s distribution. To see if your device has been infected, we recommend you go after the following indicators:

  • Presence of an app named “Google Update” (found under Settings > Application manager/Apps > Google Update)
  • Active device administrator named “System update” (found under Settings > Security > Device administrators).
  • Repeated appearance of the “Google Service” alert

To avoid downloading mobile malware, ESET suggests the following:

  • Whenever possible, favour official app stores over alternative ones. Although not flawless, Google Play does employ advanced security mechanisms, which doesn’t have to be the case with alternative stores.
  • When in doubt about installing an app, check its popularity by number of installs, ratings and content of reviews.
  • After running anything you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for intrusive permissions – even more so if accessibility-related – read them with caution and only grant them if absolutely sure of the app’s reliability.
Story image
Lumen launches managed security services for APAC market
The new service is designed to provide enterprise businesses with a proactive, connected security strategy to enhance threat detection and protection across endpoints. More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
Video: 10 Minute IT Jams - Who is LogRhythm?
LogRhythm VP of sales for Asia Pacific Simon Howe, who discusses the company's primary offerings and services, what products the company is focused on for the future, and the infrastructure it has in the A/NZ market.More
Story image
Interview: How cyber hygiene supports security culture - ThreatQuotient
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.More
Story image
Average person has 100 passwords - study
The average user has about 25% more passwords compared to earlier this year.More
Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More