BankBot Spreads via Utility Apps in Google Play

Monday, September 18, 2017

Ionut Arghire


Several utility applications distributed through Google Play have been infected with the BankBot Android banking Trojan, TrendMicro reports.

Initially spotted in the beginning of 2017, when its source code leaked online, BankBot has been highly active throughout the year. Between April and July, the malware managed to slip into Google Play via infected entertainment applications or posing as banking software, and has recently switched to utility apps, it seems.

Designed to steal users’ online banking credentials via phishing pages, the malware can request admin privileges on the infected devices to perform its nefarious routine. In addition to stealing login credentials, it can also intercept and send SMS messages, retrieve contacts list, track the device, and make calls.

According to TrendMicro, the malware managed to infect four utility apps in Google Play, and might have impacted thousands of users. One BankBot application, the security researchers reveal, has been downloaded over 5000 times.

The same as previous variants, the new Trojan iteration targets legitimate banking applications. However, the security researchers noticed that, while it still targets banks in 27 countries, the variant has added phishing pages for ten more United Arab Emirates (UAE) banking apps.

On the infected device, BankBot checks the installed software and, if it finds a targeted banking app, it connects to the command and control (C&C) server and upload the target’s package name and label. The server responds with a URL download the library containing the files necessary for the overlay page displayed on top of banking apps.

The overlays have been designed so that the users believe they have accessed the legitimate pages. Thus, they input their login credentials without realizing the page is fake.

BankBot also packs a series of evasion techniques, and won’t work unless it runs on a real device and if the targeted banking app is installed. It also avoids devices located in the Commonwealth of Independent States (CIS) countries.

When it comes to UAE banking apps, the malware also performs an additional step, prompting users to enter their phone numbers. The server then sends a code to the victim via Firebase Message and the victim is instructed to input bank details only after providing the pin. However, even if the bank information is correct, , BankBot shows an “error screen” and asks the user to input the credentials again.

“Apparently, the author of BankBot wants to verify the banking details of their victims. They ask for the details twice, just in case users input it incorrectly at first. BankBot will send the stolen data to the C&C server only after account information is entered twice,” Malwarebytes says.

BankBot’s widened reach and the fact that it is experimenting with new techniques are concerning, TrendMicro points, out, citing research claiming that mobile banking users in the Middle East and Africa are expected to exceed 80 million by 2017.

Related: Android Malware Found on Google Play Abuses Accessibility Service

Related: Source Code for BankBot Android Trojan Leaks Online

Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.