Story image

Android banking Trojan stalks Google Play - again

27 Sep 17

It’s a case of déjà vu for one particular Android banking Trojan, which has popped up again after being removed from Google Play at the start of the year.

The newest version of the BankBot Trojan was spotted in ‘Jewels Star Classic’, a knockoff of a popular gaming series Jewels Star by developers ITREEGAMER.

ESET researcher Lukas Stefanko says BankBot is a remotely-controlled Android banking Trojan that is able to harvest banking details by using fake login forms for many apps, intercept text message to bypass two-factor authentication, and it is also able to display unsolicited push notifications.

While the game functions properly, the banking malware launches when users first execute the app. It takes 20 minutes for the malicious service to be triggered.

If users click ‘OK’ on a dialogue that asks to launch Google Service, which creates a new service. The service appears to show a description taken from Google’s original terms of service.

“When the user decides to activate the service, they see a list of required permissions: Observe your actions, Retrieve window content, Turn on Explore by Touch, Turn on enhanced web accessibility and Perform gestures,” Stefanko states.

“Clicking on OK grants accessibility permissions to the malware’s own accessibility service. By granting these permissions, the user gives the malware a free hand – almost literally – to carry out any tasks it needs to continue its malicious activity.”

“In practice, after accepting the permissions, the user is briefly denied access to their screen due to ‘Google service update’ – needless to say, not initiated by Google – running in the foreground.”

The malware then mines accessibility permissions while the system appears to update. The Trojan can:

  • Allow installing apps from unknown sources
  • Install BankBot from assets and launch it
  • Activate device administrator for BankBot
  • Set BankBot as default SMS messaging app
  • Obtain permission to draw over other apps

It then attempts to steal credit card details by overlaying the genuine Google Play app with a fake form that requests victims’ credit card details. If users fall for it, attackers now have access to the data. They can then bypass two-factor SMS authentication for a user’s banking login and gain full access to accounts.

The Trojan is the first variant in its history to combine all aspects of its evolution including code obfuscation, sophisticated payload dropping and an infection method that uses Android Accessibility Service.

Stefanko says BankBot is dangerous because it is difficult for users to identify the threat, thanks to the 20-minute time delay and Google impersonation.

Researchers have alerted Google about the malicious app. Approximately 5000 users installed it before it was removed from Google Play.

ESET offers the following tips for those who download various apps from Google Play.

Checking your device for Jewels Star Classic is not enough, as the attackers frequently change up the apps misused for BankBot’s distribution. To see if your device has been infected, we recommend you go after the following indicators:

  • Presence of an app named “Google Update” (found under Settings > Application manager/Apps > Google Update)
  • Active device administrator named “System update” (found under Settings > Security > Device administrators).
  • Repeated appearance of the “Google Service” alert

To avoid downloading mobile malware, ESET suggests the following:

  • Whenever possible, favour official app stores over alternative ones. Although not flawless, Google Play does employ advanced security mechanisms, which doesn’t have to be the case with alternative stores.
  • When in doubt about installing an app, check its popularity by number of installs, ratings and content of reviews.
  • After running anything you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for intrusive permissions – even more so if accessibility-related – read them with caution and only grant them if absolutely sure of the app’s reliability.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.