Blog
Gajanan Khond

Android malware that combines a Banking Trojan, Keylogger, and Ransomware in one package

August 17, 2018
  • 37
    Shares
0
Estimated reading time: 8 minutes

This malware has all basic functionalities of the Android banker along with additional features like call forwarding, sound recording, keylogging and ransomware activities. It has the ability to launch user’s browser with URL received from the C&C server.

It repeatedly opens the accessibility setting page until the user switches ON the ‘AccessibilityService’. The AccessibilityService allowing the Trojan to enable and abuse any required permission without user concern.

Fig.1 Malicious app icon and accessibility setting page opened by malware

Overlays on targeted Apps

After launching one of the targeted application, the Trojan displays an overlay phishing login form of confidential information over its window where it asks the user to enter a username, password, and other sensitive data.

Following are some overlays displayed by Trojan :

Fig.2 Overlay on banking Apps

Fig.3 Overlay on Play store and zebpay

Commands and respective features are shown in below table

The malware performs activity according to commands received from the C&C server. Following list shows the commands used by the malware-

Commands Meaning
Send_GO_SMS Send SMS from the infected device
nymBePsG0 Upload all numbers from the phone book to C&C server
GetSWSGO Upload all SMS to C&C server
telbookgotext Send the SMS to all numbers saved in the infected device
getapps Upload the list of all installed applications
ALERT Show alert whose contents are specified in the command
PUSH show notification whose contents are specified in the command
startAutoPush Show notification whose contents are set in the Trojan’s code
ussd Calls a USSD number from the infected device
sockshost Start Server Socket
stopsocks5 Stop Server Socket
recordsound Start record sound
replaceurl Replace URL Panel
startapplication Start application specified in the commands
killBot Clear the C&C server address
getkeylogger Upload keystrokes logs on the server
startrat Start Remote Administration Tool
startforward Start call forwarding to the number specified in the commands
stopforward Stop call forwarding
openbrowser Open URL in the browser
openactivity Open URL in WebView
cryptokey Encrypts all files
decryptokey Decrypts all files

 

Technical analysis

The main APK file is highly obfuscated and all strings are encrypted. It also contains the extra junk code to make it difficult for reverse engineering. The main APK contains ‘image/files’ encrypted file. The ‘image/files’ file is decrypted at runtime and drops another file ‘app_files\driqoy.jar’. Further malicious activities are performed by that file.

Fig.4 The main APK file code

Fake alert to disable Google Play protect service

It checks whether a user’s Google Play protection service is ON or OFF. If it is ON then it displays the fake alert to disable it with the message”The system does not work correctly, disable Google Play Protect!”

Fig.5 Fake alert to disable google play protect service

Prevent from uninstalling the malicious App

If user goes to uninstall the application from the setting then malware shows the alert with “System Error 495” message.

Fig.6 Fake alert code

                                                                     

Fig.7 The fake alert when user tries to uninstall

Used Twitter for malicious purpose

The malware author uses the Twitter to get C&C server address. The malware takes the encrypted server address from the specified Twitter account that starts with <zero> and ends with </zero>.

Twitter accounts used in this malware are “hxxps://twitter.com/KeremTu81270252” and “hxxps://twitter.com/JackCorne”.

Fig.8 Code to take server address from twitter

Fig.9 Tweet on the specified account

It Encrypts and Decrypts the files

Whenever the client receives a command “cryptokey” from the server, it encrypts all the files. All the encrypted files are renamed with the extension “.AnubisCrypt”. It deletes all the original files whereas when the client receives a command “decryptokey” from the server, it decrypts all files.

Fig.10 Code for files Encryption and Decryption

After it encrypts all the files it shows the ransom screen. It blocks the screen of the device by Window WebView, which shows the content received from the server. Below Fig. shows the htmllocker code which is received from the server.

Fig.11 HTML locker code

Quick Heal detection

Quick Heal successfully detects this Android Trojan as Android.Banker.L

Indicator of compromise

App Name: sistemguncelle
Package name: com.qvgstiwjsndr.jktqnsyc
MD5: b0ff12e875d1c32bd05dde6bb34e9805
Size: 344 KB

App Name: Adobe Flash Player
Package name: com.fzuhnorsz.xgvmhdztawmg
MD5: bc53a5857b1e29bef175d64fbec0c186
Size: 383 KB

Targeted Apps

com.csam.icici.bank.imobile

com.snapwork.hdfc

hdfcbank.hdfcquickbank

com.sbi.SBIFreedomPlus

com.axis.mobile

org.bom.bank

com.idbi.mpassbook

com.amazon.mShop.android.shopping

com.paypal.android.p2pmobile

com.mobikwik_new

com.ebay.mobile

zebpay.Application

pl.ideabank.mobilebanking

wos.com.zebpay

at.easybank.mbanking

at.bawag.mbanking

com.idbibank.abhay_card

src.com.idbi

com.citibank.mobile.au

com.citibank.mobile.uk

ru.sberbank.mobileoffice

com.grppl.android.shell.BOS

ru.sberbank.spasibo

com.bitcoin.ss.zebpayindia

com.comarch.security.mobilebanking

pl.pkobp.ipkobiznes

com.coins.ful.bit

com.bbva.bbvacontigo

com.quickmobile.anzirevents15

com.bankinter.launcher

com.scotiabank.mobile

pl.ing.mojeing

com.portfolio.coinbase_tracker

com.oxigen.oxigenwallet

finansbank.enpara.sirketim

au.com.ingdirect.android

com.fusion.ATMLocator

de.comdirect.android

de.fiducia.smartphone.android.banking.vr

com.usbank.mobilebanking

com.phyder.engage

pl.allegro

com.isis_papyrus.raiffeisen_pay_eyewdg

com.vakifbank.mobile

com.empik.empikapp

com.crypter.cryptocyrrency

es.bancosantander.apps

com.localbitcoins.exchange

com.garanti.cepbank

com.commbank.netbank

com.cibc.android.mobi

ccom.tmob.denizbank

tr.com.sekerbilisim.mbank

com.barclays.android.barclaysmobilebanking

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

com.rbs.mobile.investisir

info.blockchain.merchant

com.coins.bit.local

pl.millennium.corpApp

com.yinzcam.facilities.verizon

org.banksa.bank

it.volksbank.android

com.ziraat.ziraatmobil

pl.bph

me.doubledutch.hvdnz.cbnationalconference2016

wit.android.bcpBankingApp.millenniumPL

com.imb.banking2

com.unionbank.ecommerce.mobile.commercial.legacy

eu.eleader.mobilebanking.pekao

com.dbs.hk.dbsmbanking

ru.alfabank.oavdo.amc

nz.co.bnz.droidbanking

com.kutxabank.android

com.clairmail.fth

may.maybank.android

jp.co.aeonbank.android.passbook

eu.inmite.prj.kb.mobilbank

cz.sberbankcz

fr.banquepopulaire.cyberplus

pl.mbank

com.idamob.tinkoff.android

pl.fmbank.smart

com.scb.breezebanking.hk

pl.ceneo

pl.bzwbk.ibiznes24

eu.newfrontier.iBanking.mobile.Halk.Retail

com.bankofamerica.cashpromobile

com.magiclick.odeabank

com.akbank.android.apps.akbank_direkt_tablet_20

hr.asseco.android.jimba.mUCI.ro

at.psa.app.bawag

com.starfinanz.smob.android.sfinanzstatus

com.cleverlance.csas.servis24

com.DijitalSahne.EnYakinHalkbank

com.bawagpsk.securityapp

in.co.bankofbaroda.mpassbook

com.ifs.banking.fiid4202

com.usaa.mobile.android.usaa

au.com.mebank.banking

nz.co.anz.android.mobilebanking

com.citi.citimobile

fr.lcl.android.customerarea

com.rbs.mobile.android.natwest

ru.sberbank.sberbankir

com.akbank.android.apps.akbank_direkt_tablet

hk.com.hsbc.hsbchkmobilebanking

com.pozitron.vakifbank

it.secservizi.mobile.atime.bpaa

ru.alfabank.mobile.android

de.schildbach.wallet

jp.co.rakuten_bank.rakutenbank

com.htsu.hsbcpersonalbanking

pl.orange.mojeorange

com.garanti.cepsubesi

com.anz.android

com.bmo.mobile

com.matriksmobile.android.ziraatTrader

com.magiclick.FinansPOS

sk.sporoapps.accounts

ru.bm.mbm

pl.bzwbk.bzwbk24

com.tmob.tabletdeniz

pl.bzwbk.mobile.tab.bzwbk24

com.grppl.android.shell.CMBlloydsTSB73

com.matriksdata.finansyatirim

at.spardat.netbanking

ru.alfabank.sense

com.ing.diba.mbbr2

com.blockfolio.blockfolio

at.easybank.securityapp

com.getingroup.mobilebanking

com.ideomobile.hapoalim

com.moneybookers.skrillpayments.neteller

com.bbva.netcash

com.coin.profit

com.db.mm.deutschebank

jp.co.netbk

com.mtel.androidbea

com.caisseepargne.android.mobilebanking

fr.axa.monaxa

fr.laposte.lapostetablet

com.bankaustria.android.olb

com.cba.android.netbank

com.binance.odapplications

com.anzspot.mobile

org.westpac.banknz.co.westpac

com.cm_prod.epasal

jp.mufg.bk.applisp.app

com.akbank.android.apps.akbank_direkt

com.empik.empikfoto

sk.sporoapps.skener

com.rbc.mobile.android

com.tecnocom.cajalaboral

ru.vtb24.mobilebanking.android

au.com.bankwest.mobile

nz.co.kiwibank.mobile

cz.airbank.android

com.grppl.android.shell.halifax

com.fragment.akbank

jp.co.smbc.direct

com.pozitron.albarakaturk

com.barclays.ke.mobile.android.ui

ro.btrl.mobile

com.kuveytturk.mobil

com.edsoftapps.mycoinsvalue

ru.sberbankmobile

com.moneybookers.skrillpayments

com.bssys.VTBClient

com.rbs.mobile.android.natwestoffshore

pl.com.rossmann.centauros

au.com.suncorp.SuncorpBank

com.cm_prod.bad

fr.creditagricole.androidapp

com.jackpf.blockchainsearch

com.ykb.android

com.finanteq.finance.ca

com.rbs.mobile.android.rbs

de.postbank.finanzassistent

com.binance.dev

eu.eleader.mobilebanking.raiffeisen

pl.pkobp.iko

com.btcturk

com.rbs.mobile.android.rbsbandc

com.pozitron.iscep

com.localbitcoinsmbapp

com.ing.mobile

com.ziraat.ziraattablet

com.bankia.wallet

com.anz.SingaporeDigitalBanking

com.crowdcompass.appSQ0QACAcYJ

de.fiducia.smartphone.android.securego.vr

pl.bps.bankowoscmobilna

com.anz.android.gomoney

at.easybank.tablet

pl.bosbank.mobile

com.ykb.android.mobilonay

mobi.societegenerale.mobile.lappli

nz.co.westpac

es.cm.android.tablet

com.boursorama.android.clients

finansbank.enpara

com.wf.wellsfargomobile.tablet

com.teb

com.garantibank.cepsubesiro

com.unocoin.unocoinwallet

com.arubanetworks.atmanz

at.volksbank.volksbankmobile

com.starfinanz.mobile.android.pushtan

com.rsi

com.konylabs.capitalone

com.amazon.windowshop

de.commerzbanking.mobil

es.lacaixa.mobile.android.newwapicon

com.unionbank.ecommerce.mobile.android

com.aff.otpdirekt

ru.tcsbank.c2c

com.orangefinanse

uk.co.bankofscotland.businessbank

org.stgeorge.bank

com.finansbank.mobile.cepsube

piuk.blockchain.android

fr.laposte.lapostemobile

ru.mw

com.infrasofttech.indianBank

de.dkb.portalapp

com.matriksdata.ziraatyatirim.pad

io.getdelta.android

mobile.santander.de

com.bbva.bbvawallet

com.cm_prod.nosactus

alior.bankingapp.android

com.fi6122.godough

com.wellsFargo.ceomobile

com.ykb.androidtablet

com.vakifbank.mobilel

com.entersekt.authapp.sparkasse

com.rbs.mobile.android.natwestbandc

com.td

com.kryptokit.jaxx

com.bankofqueensland.boq

tr.com.tradesoft.tradingsystem.gtpmobile.halk

com.mobillium.papara

com.vipera.ts.starter.QNB

com.orangefinansek

com.monitise.isbankmoscow

au.com.newcastlepermanent

com.tmobtech.halkbank

com.snapwork.IDBI

cz.csob.smartbanking

com.coinbase.android

es.cm.android

org.westpac.bank

com.MobileTreeApp

au.com.nab.mobile

au.com.cua.mb

com.yurtdisi.iscep

es.bancopopular.nbmpopular

com.rbs.mobile.android.ubr

com.garantiyatirim.fx

com.vtb.mobilebank

com.bendigobank.mobile

com.softtech.isbankasi

com.thunkable.android.manirana54.LocalBitCoins

de.consorsbank

pl.aliorbank.aib

com.palatine.android.mobilebanking.prod

es.evobanco.bancamovil

ru.tinkoff.sme

com.comarch.mobile.banking.bgzbnpparibas.biznes

com.de.dkb.portalapp

com.advantage.RaiffeisenBank

com.tmob.denizbank

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.FubonMobileClient

eu.eleader.mobilebanking.pekao.firm

com.mal.saul.coinmarketcap

ru.tinkoff.goabroad

ru.alfadirect.app

com.SifrebazCep

com.sovereign.santander

com.infonow.bofa

com.softtech.iscek

uk.co.santander.businessUK.bb

eu.eleader.mobilebanking.invest

net.bnpparibas.mescomptes

com.akbank.softotp

com.redrockdigimark

com.unocoin.unocoinmerchantPoS

com.hangseng.rbmobile

MyING.be

com.cm_prod_tablet.bad

com.bssys.vtb.mobileclient

ru.tinkoff.mgp

com.ykb.avm

pl.ipko.mobile

jp.co.sevenbank.AppPassbook

com.jamalabbasii1998.localbitcoin

at.spardat.bcrmobile

com.veripark.ykbaz

uk.co.santander.santanderUK

com.wf.wellsfargomobile

ru.sberbank_sbbol

com.starfinanz.smob.android.sfinanzstatus.tablet

com.chase.sig.android

nz.co.asb.asbmobile

biz.mobinex.android.apps.cep_sifrematik

com.tnx.apps.coinportfolio

com.santander.app

by.st.alfa

com.starfinanz.smob.android.sbanking

com.suntrust.mobilebanking

Conclusion

For Android version 7 and 8, previously used overlay techniques were rendered inaccessible, but malware authors find a new way to use overlays in their banking malware. The implementation of the overlay attack abuses the Usage Access permission in order to run on all versions of the Android operating system including the latest Android 7 and 8.

Tips to stay safe from Android Trojans

  • Avoid downloading apps from third-party app stores or links provided in SMSsor emails.
  • Always keep ‘Unknown Sources’ disabled. Enabling this option allows installation of apps from unknown sources.
  • Most importantly, verify app permissions before installing any app even from official stores such as Google Play.
  • Install a reliable mobile security app that can detect and block fake and malicious apps before they can infect your device.
  • Always keep your device OS and mobile security app up-to-date.

 

  • 37
    Shares

Have something to add to this story? Share it in the comments.

Gajanan Khond
About Gajanan Khond
I am an Android malware analyst at Quick Heal Technologies. My interests include Android security, reverse engineering, malware analysis, and...
Articles by Gajanan Khond »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image