A new family of financial malware, dubbed Gugi/Fanta/Lime, has emerged on the scene. It can bypass the standard security protocols of an Android operating system (version 6).
The malware seeks system privileges and user credentials, and once it gains them, it acquires complete control of the Android device.
Comodo Threat Research Labs (CTRL) detected the malware to be active in Russia, but said that it expects it to spread worldwide.
Cyber-criminals employ social engineering and phishing to initiate the infection. They send out spam messages that contain a hyperlink. If the user is not wary enough and clicks on it, he or she is taken to a malicious website and is asked to click on another link. Clicking then initiates download of Trojan-Banker.AndroidOS.Gugi.c onto the user’s device.
From there, it seeks seemingly authentic permission requests, which are in actuality permissions for app overlay, device administrator rights; send, view and receive SMS and MMS; make calls, read and write contacts; and more. It also requests permission for BuildConfig, HindeKeybroad and ContextThemeWrapper, and acquires phone details.
The malware actually “forces” the user to grant all the needed permissions, CTRL explained, in a blog. If the user denies permission at any time, then the Gugi/Fanta/Lime Trojan will completely block the infected device. To regain access to the device, the user has no other option other than to reboot in safe mode and then try to remove/uninstall the Trojan using security solutions.
Once the permissions are granted, the trojan places an authentic looking counterfeit interface program layer over a genuine application such as the Google Play Store or other mobile banking apps. From there, crooks can intercept the login credentials and other sensitive information, such as credit card and debit card details.
Photo © Balefire