Mobile banking users must be aware of new andriod banking trojan which are targeting big banks customers in Australia, New Zealand and Turkey. This trojan was first detected by ESET security products as Android/Spy.Agent.SI,which is capabel to steal login credentials from 20 mobile banking apps. This trojan has ability to intercept SMS communication between server and client, it is also able to bypass 2FA security.
The malware masquerades as Flash Player, with a legitimate-looking icon.
It was available on several servers. These servers were registered in late January and February 2016. Interestingly, the URL paths to the malicious APK files are regenerated each hour – maybe to avoid URL detection by antivirus software.
After download and install by the user, it asks request to the user to grant permission of the administration rights. It has a self-defense mechanism which helps them from being uninstalled from the device. It hides the flash player icon from user’s view, but the malware keeps running behind the scene.
After successful installation of the malware, it communicates with the remote server, which is encoded with base64. When it connects to the server first it sends information of device such as model type, IMEI number, language, SDK version and information about whether the device administrator is activated which is send to the server every 25 seconds. Then it gathers information about the application’s name installed and send them to the remote server if it found the target on the machine, then it sends a full list of 49 target apps, although not all of these are directly attacked. It not only target for mobile banking apps, it also tries to obtain google account credentials as well.
How it Works?
When an infected application is launched, then a fake login screen will overlay original mobile banking one with no option to close it.
After the user fills in their personal data, the fake screen closes and the legitimate mobile banking is shown.
As mentioned earlier, all the information exchanged between the device and server is encoded, except for the stolen credentials, which are sent in plain text.
The malware can even bypass 2FA (two-factor authentication) by sending all received text messages to the server if requested. This allows the attacker to intercept all SMS text messages from the bank and immediately remove them from the client device, so as not to attract any suspicion.
How to remove the malware
When the user tries to uninstall the malware, two different scenarios can occur. First, the user has to disable administrator rights and then uninstall the fake “Flash Player” from the device. Deactivating administrator privileges can have two possible outcomes. The simpler one is where the user first deactivates administrator rights in Settings -> Security -> Device administrators -> Flash Player -> Deactivate and then ignores the bogus alert and chooses OK.
The user is then able to uninstall the malware via Settings -> Apps/Application manager -> Flash Player -> Uninstall.
Removal can become more complicated if the device receives a command from the server to disable deactivation of device administrator rights. If this happens, when the user tries to deactivate it, the malware creates an overlay activity in the foreground which prevents the user from clicking on the confirmation button. Deactivating administrator rights will therefore fail.
Another method to safely deactivate administrator privileges is to enter Safe mode. When booting into Safe mode, third-party applications are not loaded or executed, and the user can safely deactivate administrator privileges, as in the first scenario, and thereby uninstall the application. ESET solutions detect this malware as Android/Spy.Agent.SI.
Fake login screens for various banking apps
ESET detection name:
Westpac, Bendigo Bank, Commonwealth Bank, St. George Bank, National Australia Bank, Bankwest, Me Bank, ANZ Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, Halkbank, Yapı Kredi Bank, VakıfBank, Garanti Bank, Akbank, Finansbank, Türkiye İş Bankası and Ziraat Bankası.
|Targeted package names:|