Quick Heal detects banking Trojans imitating popular social media and banking apps in India
Quick Heal Security Labs has spotted two banking Trojan malware. These malware imitate some popular social and banking apps. While doing so, they gain access to some security permissions on the infected device which allow them to steal the user’s banking credentials. The malware are able to do this by displaying a fake window that asks for a debit/credit card number.
Technical analysis of the first banking Trojan that imitates social media apps
App name: Adobe Flash Player (fake)
Package Name: com.note.donote
MD5: ef3a283136bd24e745c43619118d4ff2
Size: 520 KB
The banking Trojan masks itself with the icon of Adobe Flash Player to trick users. If installed, it asks for Device Administrator rights. If the user selects ‘Cancel’, it will keep asking for the permission until the user selects the ‘Activate’ button. Post this, it hides its icon.
Fig 1. Asking for Device Admin permission
After gaining the device administrator rights, the malware sends a text message to a premium rated number containing the device ID without user’s permission.
Fig 2. User balance deduction and sending device info via SMS
In the background, the Trojan searches for the most frequently used apps. The malware has maintained two lists. One list mostly comprises the social and browsing apps it imitates.
Popular applications maintained in the first list
- com.whatsapp
- com.skype.raider
- com.facebook.katana
- com.instagram.android
- com.android.chrome
- com.twitter.android
- com.android.calendar
- jp.naver.line.android
- com.android.vending
- com.viber.voip
When a user opens any of these applications, the Trojan displays a fake window asking for a debit/credit card number. Until the user provides this number, the malware does not allow access to Google Play or other apps (mentioned in the list above).
Fig 3. Overlaying social and browsing apps with a window asking for a debit/credit card number
Fig 4. Posting card details on a URL
If the user enters the card number, the banking Trojan collects this information and sends it to a malicious server (hxxp://nikorg.com/1/)
The other list comprises 60 banking and finance related apps. When a user opens any of these apps, the Trojan displays an overlay web page and does not allow the user to perform any activity until the user stops it.
At the time of our analysis, the malicious server was unable to show the similar page related to the app imitated by the Trojan. However, it displayed a blank white page over the app.
Fig 5. Overlaying bank application with the web page
Fig 6. Apps of banks with overlaying web URLs
Popular applications maintained in the second list
- pl.mbank (mBank PL)
- com.db.mm.deutschebank (Meine Bank)
- pl.ing.ingmobile (ING Bankieren)
- com.konylabs.cbplpat (Citi Handlowy )
- com.paypal.android.p2pmobile (paypal)
- com.commbank.netbank (CommBank )
The Trojan malware also steals incoming messages which may be an OTP or any other information and sends them to the malicious server.
Fig 7. Sending incoming messages to a URL
Technical analysis of the second banking Trojan that imitates banking apps
App name: Update
Package name: anubis.bot.myapplication
MD5: cc76a822b8bd66350a78db70998650ca
Size: 149kb
While installing the app, it asks user to enable Google Play service. And if enabled, it hides. Once it is done, the malicious app hides its icon and if a user in-between turns off the Google Play service then it keeps on showing the message to enable the Google Play service in a loop and also restricts the user from starting any other activity on the device.
Fig 8. Malicious app icon
Fig 9. Repeatedly asking for Google pro service permission
In the background, the malware it keeps searching the mentioned app’s name on the list. If found, it shows a notification on behalf of the particular app and shows a similar login page and steals user’s credentials.
Fig 10. Creates a notification message according to the app maintained in the list of the malware
At the time of analysis, the C&C server (hxxp://46.254.16.53) was not functional. So, we were unable to monitor the dynamic activity of the app.
The banking Trojan uses commands to get the user’s personal information such as contacts, messages (to get the OTP), location details, etc.
Fig 11. Stealing personal information’s using commands
Fig 12. Names of apps of banks in India
There are other apps mentioned in the list that related to banking, shopping and cryptocurrency.
Some of the famous Indian banking applications are:
- com.sbi.SBIFreedomPlus (SBI Anywhere personal)
- com.csam.icici.bank.imobile (ICICI iMobile)
- in.co.bankofbaroda.mpassbook (Baroda mPassbook)
- com.unionbank.ecommerce.mobile.android (Union Bank Mobile)
- com.axis.mobile (Axis Bank)
- hdfcbank.hdfcquickbank (HDFC Bank MobileBanking LITE)
One unique activity performed by this app is that it checks whether a user’s Google Play protection service is ON or OFF. Accordingly, it sends information to the malicious server.
Fig 13. Checking for Google Play Protection
Quick Heal successfully detects these banking Trojans as:
- Android.Marcher.C
- Android.Asacub.T
Tips to stay safe from Android Banking Trojans
- Avoid downloading apps from third-party app stores or links provided in SMSs or emails.
- Always keep ‘Unknown Sources’ disabled. Enabling this option allows installation of apps from unknown sources.
- Verify app permissions before installing any app even from official stores such as Google Play.
- Keep Play Protection service ‘ON’.
- Install a reliable mobile security app that can detect and block fake and malicious apps before they can infect your device.
- Always keep your device OS and mobile security app up-to-date.
Subject Matter Experts
Rupali Parate, Anand Kumar Singh | Quick Heal Security Labs
No Comments, Be The First!