Security researchers have discovered new Android malware masquerading as a “Google Service Framework” which combines privacy leakage, banking theft and remote access capabilities in one.
FireEyes's Jinjian Zhai and Jimmy Su blogged that the HijackRAT developer and victims are Korean speakers and that the malware is detected by only 5 of 54 AV vendors, according to Virus Total.
“Such new malware is published quickly partly because the CNC server, which the hacker uses, changes so rapidly,” they wrote.
Once the app is installed a “Google Services” icon appears on the homescreen which, if clicked on, asks for administrative privilege. The uninstall option will then be disabled and the icon removes itself from the homescreen, they revealed.
After connecting the C&C server, the malware will be told to carry out a range of malicious tasks.
These include uploading user details from the device such as phone number, device ID and address book contacts.
If any banking apps have been installed on the handset the malware will scan and log them.
The C&C server also sends a request – “POP WINDOW” – to replace the existing bank apps.
“The eight banking apps require the installation of ‘com.ahnlab.v3mobileplus’ which is a popular anti-virus application available on Google Play. In order evade any detections, the malware kills the anti-virus application before manipulating the bank apps,” FireEye wrote.
“Then, the malware app parses the banking apps that the user has installed on the Android device and stores them in the database under /data/data/com.ll/database/simple_pref… The malware will then try to download an app, named after ‘update’ and the bank’s short name from the CNC server, simultaneously uninstalling the real, original bank app.”
The malware is also apparently capable of uploading SMS messages from the device to the C&C server, and of sending new ones.
More worrying still, the C&C server has been observed sending a command “BANK HIJACK” to the malware.
It begins by installing a fake app from the C&C server, however, the developers have not yet finished coding the subsequent steps, FireEye said.
“The hacker has designed and prepared for the framework of a more malicious command from the CNC server once the hijack methods are finished,” said Su and Zhai.
“Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon.”