Android banking Trojan targets more than 232 apps including apps offered by Indian banks

  • 2
    Shares

Quick Heal Security Labs detected an Android Banking Trojan that targets more than 232 banking apps including those offered by Indian banks. The malware is known as Android.banker.A2f8a (Previously detected as Android.banker.A9480).

Like most other Android banking malware, even this one is designed for stealing login credentials, hijacking SMSs, uploading contact lists and SMSs on a malicious server, displaying an overlay screen (to capture details) on top of legitimate apps and carrying out other such malicious activities.

Infection vector

Android.banker.A2f8a is being distributed through a fake Flash Player app on third-party stores. This is not surprising given that Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often targeted by attackers.

Technical analysis

After installing the malicious app, it will ask the user to activate administrative rights. And even if the user denies the request or kills the process, the app will keep throwing continuous pop-ups until the user activates the admin privilege. Once this is done, the malicious app hides its icon soon after the user taps on it.

 

Fig 1: Requesting to grant device administrator rights

 

Fig 2: Code to hide the app icon

In the background, the app carries out malicious tasks – it keeps checking the installed app on the victim’s device and particularly looks for 232 apps (banking and some cryptocurrency apps).

If any one of the targeted apps is found on the infected device, the app shows a fake notification on behalf of the targeted banking app. If the user clicks on the notification, they are shown a fake login screen to steal the user’s confidential info like net banking login ID and password.

During our analysis, we found that the malware was capable of receiving and processing the following commands from the C&C server:

Send_GO_SMSSend an SMS
GetSWSGOCollect all SMS from the device
nymBePsG0Upload list of contacts to a malicious server
telbookgotextSend SMS to all contacts with the text from its command
StartAutoPushShow fake notification
RequestPermissionInjACCESSIBILITY Permission
RequestPermissionGPSGPS Permission
killBotSet all urls null in Shared Preferences
getIPUpload location to a malicious server
ussdSend a USSD request

1. Whenever the client receives the command “startAutoPush” from the server, it shows a fake notification with the targeted app’s icon (title: “Urgent message!” & text: “Confirm your account”). Clicking on the notification takes the user to a fake login page as discussed earlier.

 

Fig 3: Code to check the server command

During the time of our analysis, the C&C server was not functional; so, we were unable to monitor the dynamic activity of the app.

Fig 4: Code to load the phishing page

2. The malware can intercept all incoming and outgoing SMSs from the infected device. This enables the attackers to bypass SMS-based two-factor authentication on the victim’s bank account (OTP). The malware was also able to send SMSs with a dynamically received text and number from the server’s side.

3. Whenever the client receives the command “GetSWSGO” from the server, it collects all SMSs stored on the device and uploads them to the malicious server.

Fig 5: Code to upload SMS to server

4. The malware can also set the device’s ringer volume to silent in order to suppress SMS notifications:

Fig 6: Code to put the device on silent

5. Whenever the client receives a command “nymBePsG0” from the server, it uploads the victim’s contacts to the malicious server.

Fig 7: Code to upload contact to malicious server

Targeted banking apps in India

The following is a list of the apps of the banks in India that are targeted by this Android Banking Trojan:

  • axis.mobile (Axis Mobile)
  • snapwork.hdfc (HDFC Bank MobileBanking)
  • sbi.SBIFreedomPlus (SBI Anywhere Personal)
  • hdfcquickbank (HDFC Bank MobileBanking LITE)
  • csam.icici.bank.imobile (iMobile by ICICI Bank)
  • snapwork.IDBI (IDBI Bank GO Mobile+)
  • idbibank.abhay_card (Abhay by IDBI Bank Ltd)
  • com.idbi (IDBI Bank GO Mobile)
  • idbi.mpassbook (IDBI Bank mPassbook)
  • co.bankofbaroda.mpassbook (Baroda mPassbook)
  • unionbank.ecommerce.mobile.android (Union Bank Mobile Banking)
  • unionbank.ecommerce.mobile.commercial.legacy (Union Bank Commercial Clients )

 

Fig 8: Code to check installed banking apps

Targeted cryptocurrency apps

Apart from banking apps, Android.banker.A2f8a also targets the following cryptocurrency apps.

  • bitfinex.bfxapp (Bitfinex)
  • veken0m.cavirtex (Bitcoinium)
  • brothas.mtgoxwidget (Bitcoin Ticker Widget)
  • master.cointransaction (Bitcoin/Altcoin chart, alarm, ticker)
  • leowandersleb.bitcoinsw (Flux Bitcoin Widget)
  • ozgur.btcprice (Bitcoin Price)
  • coinprices.allexchanges (Crypto Prices All-in-One)
  • blockchain.android (Blockchain – Bitcoin & Ether Wallet)
  • blockchain.merchant (Blockchain Merchant)
  • hyperwallet.wubsprepaid (WUBS Prepaid)
  • blocktrail.mywallet (BTC.com – Bitcoin Wallet)
  • claimyourbits.btcsafari (BTC SAFARI – Free Bitcoin)
  • handyapps.bitcoinpriceiq (Bitcoin Price IQ)
  • schildbach.wallet (Bitcoin Wallet)
  • blockfolio.blockfolio (Blockfolio Bitcoin / Altcoin App)
  • org.freewallet.app (Bitcoin Wallet by Freewallet)
  • bitcoin.crane.money (Bitcoin NewsCrane)
  • coinmarketapp.app (Bitcoin CoinMarketCap.com (unofficial) / Altcoin)
  • coinpayments.coinpaymentsapp (CoinPayments)
  • org.freewallet.app (Bitcoin Cash Wallet by Freewallet)
  • cenci7.coinmarketcapp (CoinMarketCapp – Blockchain Cryptocurrencies)
  • benzneststudios.cryptostory (CryptoStory – Cryptocurrency Portfolio)
  • langerhans.wallet (Dogecoin Wallet)

Other targeted banking apps

  • sberbankmobile
  • sberbank.spasibo
  • sberbank_sbbol
  • sberbank.mobileoffice
  • sberbank.sberbankir (Sberbank IR)
  • alfabank.mobile.android
  • alfabank.oavdo.amc
  • st.alfa
  • alfabank.sense
  • alfadirect.app (Alfa-Direct)
  • mw (Visa QIWI Wallet)
  • raiffeisennews
  • idamob.tinkoff.android (Tinkoff)
  • tcsbank.c2c (Card 2 Card)
  • tinkoff.mgp (Tinkoff Play: apply for a card)
  • tinkoff.sme
  • tinkoff.goabroad (FSSP FNS Russia)
  • webmoney.my (WebMoney Keeper)
  • rosbank.android (ROSBANK Online)
  • vtb24.mobilebanking.android
  • bm.mbm
  • vtb.mobilebank (VTB Mobile)
  • bssys.VTBClient (Mobile Client VTB)
  • bssys.vtb.mobileclient (MobileClientVTB)
  • simpls.mbrd.ui
  • yandex.money
  • simpls.brs2.mobbank
  • akbank.android.apps.akbank_direkt (Akbank Direkt)
  • akbank.android.apps.akbank_direkt_tablet (Akbank Direkt Tablet)
  • akbank.softotp
  • fragment.akbank
  • ykb.android
  • ykb.android.mobilonay
  • ykb.avm
  • ykb.androidtablet
  • veripark.ykbaz
  • softtech.iscek
  • yurtdisi.iscep
  • softtech.isbankasi
  • monitise.isbankmoscow
  • finansbank.mobile.cepsube
  • enpara
  • magiclick.FinansPOS (FinansPOS)
  • matriksdata.finansyatirim (QNB Finansinvest)
  • enpara.sirketim
  • vipera.ts.starter.QNB (QNB Mobile)
  • redrockdigimark (QNB National Day)
  • garanti.cepsubesi (Garanti Mobile Banking)
  • garanti.cepbank
  • garantibank.cepsubesiro (GarantiBank)
  • matriksdata.finansyatirim (QNB Finansinvest)
  • mobinex.android.apps.cep_sifrematik
  • garantiyatirim.fx (Garanti FX Trader)
  • tmobtech.halkbank (Halkbank Mobil)
  • SifrebazCep
  • newfrontier.iBanking.mobile.Halk.Retail (Halkbank Mobile App)
  • com.tradesoft.tradingsystem.gtpmobile.halk (Halk Trade)
  • DijitalSahne.EnYakinHalkbank (Halkbank Nerede)
  • ziraat.ziraatmobil (Ziraat Mobil)
  • ziraat.ziraattablet (Ziraat Tablet)
  • matriksmobile.android.ziraatTrader (Ziraat Trader)
  • matriksdata.ziraatyatirim.pad (Ziraat Trader HD)
  • comdirect.android (comdirect mobile App)
  • commerzbanking.mobil (Commerzbank Banking App)
  • consorsbank (Consorsbank)
  • db.mm.deutschebank
  • dkb.portalapp (DKB-Banking)
  • de.dkb.portalapp
  • ing.diba.mbbr2 (ING-DiBa Banking + Brokerage)
  • postbank.finanzassistent (Postbank Finanzassistent)
  • santander.de (Santander MobileBanking)
  • fiducia.smartphone.android.banking.vr
  • creditagricole.androidapp
  • axa.monaxa
  • banquepopulaire.cyberplus
  • bnpparibas.mescomptes
  • boursorama.android.clients
  • caisseepargne.android.mobilebanking
  • lcl.android.customerarea
  • paypal.android.p2pmobile
  • wf.wellsfargomobile
  • wf.wellsfargomobile.tablet
  • wellsFargo.ceomobile
  • usbank.mobilebanking
  • usaa.mobile.android.usaa
  • suntrust.mobilebanking
  • moneybookers.skrillpayments.neteller
  • moneybookers.skrillpayments
  • clairmail.fth
  • konylabs.capitalone
  • yinzcam.facilities.verizon
  • chase.sig.android
  • infonow.bofa
  • bankofamerica.cashpromobile
  • co.bankofscotland.businessbank
  • grppl.android.shell.BOS
  • rbs.mobile.android.natwestoffshore
  • rbs.mobile.android.natwest
  • rbs.mobile.android.natwestbandc
  • rbs.mobile.investisir
  • phyder.engage
  • rbs.mobile.android.rbs
  • rbs.mobile.android.rbsbandc
  • co.santander.santanderUK
  • co.santander.businessUK.bb
  • sovereign.santander
  • ifs.banking.fiid4202
  • fi6122.godough
  • rbs.mobile.android.ubr
  • htsu.hsbcpersonalbanking
  • grppl.android.shell.halifax
  • grppl.android.shell.CMBlloydsTSB73
  • barclays.android.barclaysmobilebanking
  • ing.mobile (ING Bankieren)
  • csob.smartbanking
  • sberbankcz (Smart Banking)
  • sporoapps.accounts
  • sporoapps.skener (Platby)
  • cleverlance.csas.servis24 (SERVIS 24 Mobilni banka)
  • westpac.bank,nz.co.westpac
  • com.suncorp.SuncorpBank (Suncorp Bank)
  • stgeorge.bank (St.George Mobile Banking)
  • banksa.bank (BankSA Mobile Banking)
  • com.newcastlepermanent (NPBS Mobile Banking)
  • com.nab.mobile (NAB Mobile Banking)
  • com.mebank.banking (ME Bank)
  • com.ingdirect.android (ING Australia Banking)
  • be (ING Smart Banking)
  • imb.banking2 (IMB.Banking)
  • fusion.ATMLocator (People’s Choice Credit Union)
  • com.cua.mb (CUA)
  • commbank.netbank (CommBank)
  • cba.android.netbank (CommBank app for tablet)
  • citibank.mobile.au (Citibank Australia)
  • citibank.mobile.uk (Citi Mobile UK)
  • citi.citimobile
  • bom.bank (Bank of Melbourne Mobile Banking)
  • bendigobank.mobile (Bendigo Bank)
  • doubledutch.hvdnz.cbnationalconference2016 (CB Conference 2017)
  • com.bankwest.mobile (Bankwest)
  • bankofqueensland.boq (BOQ Mobile)
  • anz.android.gomoney (ANZ goMoney Australia)
  • anz.android
  • anz.SingaporeDigitalBanking
  • anzspot.mobile
  • crowdcompass.appSQ0QACAcYJ (ANZ Investor Tour)
  • arubanetworks.atmanz (Atmosphere ANZ)
  • quickmobile.anzirevents15 (ANZ Investor Relations Events)
  • volksbank.volksbankmobile (Volksbank Banking)
  • fiducia.smartphone.android.banking.vr (VR-Banking)
  • volksbank.android
  • secservizi.mobile.atime.bpaa (Volksbank per tablet)
  • fiducia.smartphone.android.securego.vr (VR-SecureGo)
  • isis_papyrus.raiffeisen_pay_eyewdg (Raiffeisen ELBA)
  • easybank.mbanking (easybank)
  • easybank.tablet (easybank app)
  • easybank.securityapp (easybank Security App)
  • bawag.mbanking (BAWAG P.S.K.)
  • bawagpsk.securityapp (BAWAG P.S.K. Security App)
  • psa.app.bawag (BAWAG P.S.K. SmartPay)
  • pozitron.iscep
  • vakifbank.mobile
  • pozitron.vakifbank
  • starfinanz.smob.android.sfinanzstatus (Sparkasse Ihre mobile Filiale)
  • starfinanz.mobile.android.pushtan (S-pushTAN)
  • entersekt.authapp.sparkasse (S-ID-Check)
  • starfinanz.smob.android.sfinanzstatus.tablet
  • starfinanz.smob.android.sbanking (Sparkasse+ Finanzen im Griff)
  • palatine.android.mobilebanking.prod (ePalatine Particuliers)
  • laposte.lapostemobile (La Poste – Services Postaux)
  • laposte.lapostetablet (La Poste HD – Services Postaux)
  • cm_prod.bad
  • cm_prod.epasal (Epargne Salariale CM)
  • cm_prod_tablet.bad
  • cm_prod.nosactus
  • societegenerale.mobile.lappli
  • bbva.netcash (BBVA net cash)
  • bbva.bbvacontigo (BBVA | Spain)
  • bbva.bbvawallet (BBVA Wallet | Spain)
  • bancosantander.apps (Santander)
  • santander.app (Santander Brasil)
  • cm.android (Bankia)
  • cm.android.tablet (Bankia Tablet)
  • bankia.wallet (Bankia Wallet)

Other targeted apps

  • amazon.mShop.android.shopping (Amazon Shopping)
  • amazon.windowshop (Amazon for Tablets)
  • ebay.mobile (eBay: Buy & Sell. Explore Discount Shopping Deals)
  • airbnb.android (Airbnb)
  • scores365 (365Scores: Sports Scores Live)
  • pyrsoftware.pokerstars.net (PokerStars Poker: Texas Holdem)
  • pokerstars.cebo.psp (PokerStars Play: Free Texas Holdem Poker Game)
  • paster
  • pokerstars.eptguide (PokerStars Live)
  • pkrstrs191 (PKRSTRS Mobile 2Day App)
  • thunkable.android.avenue_mitm.Polonix
  • westernunion.android.mtapp (Western Union US – Send Money Transfers Quickly)

Indicator of compromise

App Name: Flash Player
Package name: yqyJqWdtdf.UOaOrquyRDgLFgGueha
MD5: 29cf5cc309c2e29b6afd63eb5ab8fbd2
Size: 115 KB

Quick Heal detection

Quick Heal successfully detects this Android Banking Trojan as Android.banker.A2f8a.

Important Note:
Adobe Flash player has been discontinued after Android 4.1 version as it’s available in the mobile browser itself. There is no official Adobe Flash Player available on the Google Play Store. Adobe had also announced that it will stop updating and distributing Flash player by the end of 2020 in all formats of browser.

 Tips to stay safe from Android Banking Trojans

  • Avoid downloading apps from third-party app stores or links provided in SMSs or emails.
  • Always keep ‘Unknown Sources’ disabled. Enabling this option allows installation of apps from unknown sources.
  • Most importantly, verify app permissions before installing any app even from official stores such as Google Play.
  • Install a reliable mobile security app that can detect and block fake and malicious apps before they can infect your device.
  • Always keep your device OS and mobile security app up-to-date.

Subject Matter Expert
Gajanan Khond| Quick Heal Security Labs

Bajrang Mane

Bajrang Mane


8 Comments

Your email address will not be published.

CAPTCHA Image

  1. Avatar Milind DevalJanuary 4, 2018 at 11:58 AM

    Excellent analysis, well-done.

    Reply
  2. Avatar Amol KulkarniJanuary 5, 2018 at 10:11 AM

    Super informative. Thanks

    Reply
  3. Good analysis, however are there any authentication mechanisms to validate third party apps..

    Reply
  4. Avatar Prakash JasaniJanuary 11, 2018 at 8:22 AM

    Good work and nicely explained.

    Reply
  5. Avatar Rohan NargolkarJanuary 12, 2018 at 2:42 PM

    Superb Analysis! I’m just learning the basics of C and C++ and it’s quite disconcerting to know, how the code can be used for malicious purposes.

    Reply
  6. My HDFC mobile app says that my device has malware but I fully scanned my device but quick heal is not able to detect the malware. I contacted quick heal support but didn’t got any solution.can you please suggest something.i don’t want to reset my phone .

    Reply
  7. Thanks for sharing useful information for beginners to Learn Android development course.

    Reply