Story image

Android banking Trojan stalks Google Play - again

27 Sep 17

It’s a case of déjà vu for one particular Android banking Trojan, which has popped up again after being removed from Google Play at the start of the year.

The newest version of the BankBot Trojan was spotted in ‘Jewels Star Classic’, a knockoff of a popular gaming series Jewels Star by developers ITREEGAMER.

ESET researcher Lukas Stefanko says BankBot is a remotely-controlled Android banking Trojan that is able to harvest banking details by using fake login forms for many apps, intercept text message to bypass two-factor authentication, and it is also able to display unsolicited push notifications.

While the game functions properly, the banking malware launches when users first execute the app. It takes 20 minutes for the malicious service to be triggered.

If users click ‘OK’ on a dialogue that asks to launch Google Service, which creates a new service. The service appears to show a description taken from Google’s original terms of service.

“When the user decides to activate the service, they see a list of required permissions: Observe your actions, Retrieve window content, Turn on Explore by Touch, Turn on enhanced web accessibility and Perform gestures,” Stefanko states.

“Clicking on OK grants accessibility permissions to the malware’s own accessibility service. By granting these permissions, the user gives the malware a free hand – almost literally – to carry out any tasks it needs to continue its malicious activity.”

“In practice, after accepting the permissions, the user is briefly denied access to their screen due to ‘Google service update’ – needless to say, not initiated by Google – running in the foreground.”

The malware then mines accessibility permissions while the system appears to update. The Trojan can:

  • Allow installing apps from unknown sources
  • Install BankBot from assets and launch it
  • Activate device administrator for BankBot
  • Set BankBot as default SMS messaging app
  • Obtain permission to draw over other apps

It then attempts to steal credit card details by overlaying the genuine Google Play app with a fake form that requests victims’ credit card details. If users fall for it, attackers now have access to the data. They can then bypass two-factor SMS authentication for a user’s banking login and gain full access to accounts.

The Trojan is the first variant in its history to combine all aspects of its evolution including code obfuscation, sophisticated payload dropping and an infection method that uses Android Accessibility Service.

Stefanko says BankBot is dangerous because it is difficult for users to identify the threat, thanks to the 20-minute time delay and Google impersonation.

Researchers have alerted Google about the malicious app. Approximately 5000 users installed it before it was removed from Google Play.

ESET offers the following tips for those who download various apps from Google Play.

Checking your device for Jewels Star Classic is not enough, as the attackers frequently change up the apps misused for BankBot’s distribution. To see if your device has been infected, we recommend you go after the following indicators:

  • Presence of an app named “Google Update” (found under Settings > Application manager/Apps > Google Update)
  • Active device administrator named “System update” (found under Settings > Security > Device administrators).
  • Repeated appearance of the “Google Service” alert

To avoid downloading mobile malware, ESET suggests the following:

  • Whenever possible, favour official app stores over alternative ones. Although not flawless, Google Play does employ advanced security mechanisms, which doesn’t have to be the case with alternative stores.
  • When in doubt about installing an app, check its popularity by number of installs, ratings and content of reviews.
  • After running anything you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for intrusive permissions – even more so if accessibility-related – read them with caution and only grant them if absolutely sure of the app’s reliability.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.