Background
Researchers from the security company Dr.Web reported a while back that the source code of a recent untitled Android bank Trojan was leaked to underground hacker forums. Recently, Alibaba Cloud Universal Security has also detected a large number of new Trojans of the BankBot family. These Trojans disguise themselves as Good Weather, Flash Plаyеr, Play Мapкeт, or Follon to hijack mobile devices. Disguised Good Weather applications is believed to have affected users from at least 50 large banks around the world.
Features of the New BankBot Trojan
The new BankBot Trojan has a flexible configuration, and its switches are subject to the control of the server. Instructions issued on the command and control (C&C) server remotely control the BankBot Trojans to steal users' personal information, hijack multiple financial apps around the globe, and phish login interfaces. The BankBot Trojans can then intercept and capture user input data, as well as initiate illegal intrusion to the user's Internet account system.
The Running Process of the Trojan
The flowchart below illustrates a BankBot Trojan's process:
How Does BankBot Trigger the Malicious Code
After the BankBot Trojan starts, it requests the C&C service to determine whether to execute the malicious code. If the server response is not "0," the BankBot Trojan executes the malicious code.
The Trojan hides the icon directly and starts the core service ge45g45gsdfsadfg. The service uses the CPU wake lock to reside in the background.
Core Services
The PARTIAL_WAKE_LOCK mode controls the power state, and the Trojan uses the CPU clock lock to make the core service reside in the background. The malicious behaviors include the following:
- Force activate the device manager
- Upload the running environment of the current Trojan, including the device basic information
- The server issues instructions to implement remote control
- Start the hijacking service
The pictures below shows the uploading of the Trojan running environment:
The self-encryption algorithm decodes the uploaded data. The decoded result: 3592500503912:1:1:0、3592500503912:(China Unicom)+86186670157**:4.4.2:cn:|AlfaB_RU|
|paypal||UBank|:Nexus 5 (hammerhead):Demom.
The uploaded data tells the control server information such as:
- The current device ID
- Whether the Trojan is ready for management
- Whether the device has a screen-locking password
- Whether the device has text message blocking configured
- Whether the user has installed AlfaB, Paypal, and UBank banking apps
The C&C server returns the parsed control instructions, as shown in the table below.
Hijacking Analysis
When the victim opens the legal bank app, the Trojan monitors this behavior, loads the fake bank page, and overwrites the authentic bank app interface. The most important step of interface hijacking is to deceive the victim into accessing the forged login interface, so the counterfeit bank login window is very similar to the authentic window, making it difficult for users to distinguish.
Below are examples of other phishing interfaces.
The victim's device ID is an identifier for interaction with the Trojan control side, and the Trojan forges the counterfeit login interface on the control side based on the bank app on the victim's device. None of the major financial apps of the world are spared, including the well-known Paypal, American Express, the British Barclays Bank, and Royal Bank of Scotland.
Hijacking devices of SDK version 22 and earlier
The figure below shows how the virus reads the related information in the proc folder in the Android system to get the top application package name of SDK version higher than 22.
Getting the top application package name of SDK version higher than 22
If the currently running application matches the banking application that needs to be hijacked, the malicious code contacts the C&C server to return the counterfeit bank login interface and load the interface using the web view. For example, if you open the bank application com.garenti.cepsubesi, the Trojan issues a packageName + deviceId request to receive the phishing page. Such malware phishing pages are in HTML layout, from which we can infer that the hacking product is transformed into a mobile app hijacking phishing product from a website phishing one.
The analysis shows that that the Trojan inserts a piece of JavaScript code into the phishing page, which can send the bank account and password input by the user to the server.
The Trojan can switch on the text message-blocking toggle through the remote command to intercept the authentication message sent by the bank, and delete the authentication message from the inbox.
The attacker successfully intercepts the victim's bank account, password, verification message, and successfully bypasses the two-factor authentication mechanism. In this way, the victim is not only incorporated into the mobile botnet controlled by the attacker but a cash machine of the attacker, like their own private banks.
Conclusion and Security Considerations
BankBot Trojan can easily overpower all functionalities of your banking app, and is a huge risk that puts billions of financial accounts under constant threat. You are recommended to follow the security precautions below to protect yourself from this virus.
1. Users are recommended to download applications only from official websites or safe application marketplaces. Do not click on any suspicious links, especially links sent by unfamiliar "friends" in text messages or chatting tools such as QQ or WeChat.
2. If you are not sure if a virus has infected your mobile phone, you can install mobile phone security software to check the applications in your phone and prevent the installation of malicious apps.