It’s a case of déjà vu for one particular Android banking Trojan, which has popped up again after being removed from Google Play at the start of the year.
The newest version of the BankBot Trojan was spotted in ‘Jewels Star Classic’, a knockoff of a popular gaming series Jewels Star by developers ITREEGAMER.
ESET researcher Lukas Stefanko says BankBot is a remotely-controlled Android banking Trojan that is able to harvest banking details by using fake login forms for many apps, intercept text message to bypass two-factor authentication, and it is also able to display unsolicited push notifications.
While the game functions properly, the banking malware launches when users first execute the app. It takes 20 minutes for the malicious service to be triggered.
If users click ‘OK’ on a dialogue that asks to launch Google Service, which creates a new service. The service appears to show a description taken from Google’s original terms of service.
“When the user decides to activate the service, they see a list of required permissions: Observe your actions, Retrieve window content, Turn on Explore by Touch, Turn on enhanced web accessibility and Perform gestures,” Stefanko states.
“Clicking on OK grants accessibility permissions to the malware’s own accessibility service. By granting these permissions, the user gives the malware a free hand – almost literally – to carry out any tasks it needs to continue its malicious activity.”
“In practice, after accepting the permissions, the user is briefly denied access to their screen due to ‘Google service update’ – needless to say, not initiated by Google – running in the foreground.”
The malware then mines accessibility permissions while the system appears to update. The Trojan can:
- Allow installing apps from unknown sources
- Install BankBot from assets and launch it
- Activate device administrator for BankBot
- Set BankBot as default SMS messaging app
- Obtain permission to draw over other apps
It then attempts to steal credit card details by overlaying the genuine Google Play app with a fake form that requests victims’ credit card details. If users fall for it, attackers now have access to the data. They can then bypass two-factor SMS authentication for a user’s banking login and gain full access to accounts.
The Trojan is the first variant in its history to combine all aspects of its evolution including code obfuscation, sophisticated payload dropping and an infection method that uses Android Accessibility Service.
Stefanko says BankBot is dangerous because it is difficult for users to identify the threat, thanks to the 20-minute time delay and Google impersonation.
Researchers have alerted Google about the malicious app. Approximately 5000 users installed it before it was removed from Google Play.
ESET offers the following tips for those who download various apps from Google Play.
Checking your device for Jewels Star Classic is not enough, as the attackers frequently change up the apps misused for BankBot’s distribution. To see if your device has been infected, we recommend you go after the following indicators:
- Presence of an app named “Google Update” (found under Settings > Application manager/Apps > Google Update)
- Active device administrator named “System update” (found under Settings > Security > Device administrators).
- Repeated appearance of the “Google Service” alert
To avoid downloading mobile malware, ESET suggests the following:
- Whenever possible, favour official app stores over alternative ones. Although not flawless, Google Play does employ advanced security mechanisms, which doesn’t have to be the case with alternative stores.
- When in doubt about installing an app, check its popularity by number of installs, ratings and content of reviews.
- After running anything you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for intrusive permissions – even more so if accessibility-related – read them with caution and only grant them if absolutely sure of the app’s reliability.