An Android banking malware campaign has hit nearly 100 banks in the United States, Germany, France, Australia, Turkey, Poland and Austria.
According to Fortinet, the bad actors are targeting customers of large banks, looking to steal login credentials from 94 different mobile banking apps. Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication.
After the malware is installed it can not only send and intercept SMS messages, but it can perform a factory reset to wipe the phone (with the potential for huge data loss for the user). It also lures the user to submit credit card info by popping up a request for banking details any time an app is launched on the device. The malware is able to verify if the card number submitted by the user is valid, and if it is, the malware pops up a fake “Verified by Visa” or “MasterCard SecureCode” view.
The malware also uses a screen overlay with a fake login window to lure users to submit their login credentials for banking apps, and then sends them to its C&C server. It contains modules to target the credentials for popular social media apps as well, including Facebook, Facebook Messenger, Whatsapp, Skype, Twitter, Viber, Instagram and Snapchat.
“This malware implements multiple malicious functionalities into a single app and takes full advantage of a successful infection,” Fortinet researchers said, in a blog. “The attacker can control the list of legitimate apps to be targeted via C&C commands.”
As far as the infection chain, the malware masquerades as a Flash Player app to trick users into downloading it. When the user clicks the Flash Player icon and launches it, the action grants device administrator rights to the app through a fake Google Play service. Once enabled, this self-defense mechanism prevents the malware from being uninstalled from the device.
The app displays a screen overlay on top of any other apps, rendering them useless. The user has an option to cancel or activate, but if the user clicks the cancel button, the view is closed, and then just restarts—forcing the user to click “activate” to get rid of it. This grants the malware full device administrator rights. The Flash Player icon is then hidden from the launcher, but the malware remains active in the background.
“It is not surprising that Android malware is becoming more trigger-based and evasive. As users are increasingly relying on their smartphones for security-critical operations such as banking, cybercriminals are leverainging these new activities to collect information about two-factor authentication messages, or credentials to spread malware through social network accounts,” said Giovanni Vigna, Lastline co-founder and CTO, via email. “However, trigger-based malware is only one side of the coin—there's also usability issues. In a smartphone environment, it is also difficult to understand which application is actually running at a specific moment. This leaves the smartphone open to phishing and clickjacking attacks, in which malware waits in the background until a specific app is launched. At the time of the user application launch, the malware takes control of the device and presents to the user a login page similar to the one the user intends to use (e.g., Facebook). By doing this, the malware can collect credentials that are later used for spreading malware and performing social engineering attacks."
Fortunately, there are two methods to uninstall the malware: The user can disable the device administrator rights in Settings -> Security -> Device administrators -> Google Play Service -> Deactivate and then uninstall the fake ‘Flash Player’ via Settings -> Apps -> Flash-Player-update -> Uninstall.
Fortinet researchers also said that if the user in in the loop where the malware repeatedly creates a screen overlay to request device administrator rights, the user cannot access settings because the screen overlay always displays on top. In this case, the user can uninstall the malware via the Android Debug Bridge by using this command: adb uninstall [packagename].
Frederik Mennes, senior manager for Market & Security Strategy at the Security Competence Center at VASCO Data Security, said that attacks like these can and should be foiled on the code-building side.
"Incidents like the Android Flash Player malware attack highlight the need for banking applications to build in Runtime Application Self-Protection (RASP) capabilities so that the application is protected against advanced attacks,” he told us. “If errant behavior is detected, like the pop-up of an overlay when the user wants to log onto the mobile banking application, RASP capabilities can prevent the user’s credentials from being stolen.”
Photo © vectorEPS