The SlemBunk Android banking trojan identified late last year has turned out to be more persistent than originally thought—and is being used as part of an ongoing and evolving campaign.
SlemBunk attempts to steal the login credentials of mobile banking users; when specified banking apps are launched, the malware lurking on the device leaps to action, with the ability to phish for and harvest authentication credentials, sending them to a remote server.
FireEye had originally identified more than 170 SlemBunk samples that targeted users of 33 mobile banking apps, whose service regions cover three major continents: North America, Europe and Asia Pacific. Early SlemBunk samples turned up in the form of apps that masquerade as common, popular applications and essential tools, or porn apps—all of which stay incognito after running for the first time But now, the malware attack is developing into a more organized campaign, with highly customized CnC servers that use an administration panel to manage the campaigns and a drive-by download approach.
“The registration records of the relevant domains suggest that this campaign activity is very recent, still ongoing, and possibly evolving into different forms,” FireEye researchers said in a technical analysis.
For one, recent versions of the baddie have developed a much longer attack chain than seen originally. A drive-by download starts the prolonged process, and already, this is notable: Drive-by downloads can make it easier to reach more victims than simply relying on app installations, as the early iterations of the malware did.
That first step also only puts a first app onto the victim’s device—which isn’t even the payload.
“Before the invocation of the actual SlemBunk payload, up to three apps have to land on the device in order to fire the last deadly shot,” researchers noted in an analysis. “This makes it much harder for analysts to trace the observed attacks back to their actual origin, and thus the malware can have a more persistent existence on the victim’s device.”
That initial dropper optionally uses a packer to hide its own payload, and thus runtime unpacking is needed to recover the second app: the SlemBunk downloader. The downloader app then queries a customized CnC server for the SlemBunk payload, the final app in the attack chain.
Further, an administrative interface hosted on the CnC server implies that the CnC server is customizable and that the SlemBunk payload can easily adapt per the attacker’s specifications.
“SlemBunk is an evolving family of Android trojans that target mobile banking app users throughout the world,” researchers concluded. “The FireEye mobile research team will keep a close eye on this.”
Photo © Franck Boston