Quick Heal Security Labs has spotted two banking Trojan malware. These malware imitate some popular social and banking apps. While doing so, they gain access to some security permissions on the infected device which allow them to steal the user’s banking credentials. The malware are able to do this by displaying a fake window that asks for a debit/credit card number.
Technical analysis of the first banking Trojan that imitates social media apps
App name: Adobe Flash Player (fake)
Package Name: com.note.donote
Size: 520 KB
The banking Trojan masks itself with the icon of Adobe Flash Player to trick users. If installed, it asks for Device Administrator rights. If the user selects ‘Cancel’, it will keep asking for the permission until the user selects the ‘Activate’ button. Post this, it hides its icon.
After gaining the device administrator rights, the malware sends a text message to a premium rated number containing the device ID without user’s permission.
In the background, the Trojan searches for the most frequently used apps. The malware has maintained two lists. One list mostly comprises the social and browsing apps it imitates.
Popular applications maintained in the first list
When a user opens any of these applications, the Trojan displays a fake window asking for a debit/credit card number. Until the user provides this number, the malware does not allow access to Google Play or other apps (mentioned in the list above).
If the user enters the card number, the banking Trojan collects this information and sends it to a malicious server (hxxp://nikorg.com/1/)
The other list comprises 60 banking and finance related apps. When a user opens any of these apps, the Trojan displays an overlay web page and does not allow the user to perform any activity until the user stops it.
At the time of our analysis, the malicious server was unable to show the similar page related to the app imitated by the Trojan. However, it displayed a blank white page over the app.
Popular applications maintained in the second list
The Trojan malware also steals incoming messages which may be an OTP or any other information and sends them to the malicious server.
Technical analysis of the second banking Trojan that imitates banking apps
App name: Update
Package name: anubis.bot.myapplication
While installing the app, it asks user to enable Google Play service. And if enabled, it hides. Once it is done, the malicious app hides its icon and if a user in-between turns off the Google Play service then it keeps on showing the message to enable the Google Play service in a loop and also restricts the user from starting any other activity on the device.
In the background, the malware it keeps searching the mentioned app’s name on the list. If found, it shows a notification on behalf of the particular app and shows a similar login page and steals user’s credentials.
At the time of analysis, the C&C server (hxxp://22.214.171.124) was not functional. So, we were unable to monitor the dynamic activity of the app.
The banking Trojan uses commands to get the user’s personal information such as contacts, messages (to get the OTP), location details, etc.
There are other apps mentioned in the list that related to banking, shopping and cryptocurrency.
Some of the famous Indian banking applications are:
One unique activity performed by this app is that it checks whether a user’s Google Play protection service is ON or OFF. Accordingly, it sends information to the malicious server.
Quick Heal successfully detects these banking Trojans as:
Tips to stay safe from Android Banking Trojans
Subject Matter Experts
Rupali Parate, Anand Kumar Singh | Quick Heal Security Labs