Android Spyware 'Revive' Upgraded to Banking Trojan

Security researchers from Cleafy spotted a new Android Banking Trojan in the wild earlier this month.

Dubbed “Revive” because of one of its ability to automatically restart in case it stops working, the tool reportedly belongs to a category of malware designed for persistent campaigns.

Writing in an advisory on Monday, Cleafy explained Revive was developed to target specific targets (currently, Spanish banks).

At the same time, the researchers added that the attack methodologies behind Revive are similar to other banking trojans since the malware still exploits accessibility services to perform keylogging activities and intercept SMS messages of the victim.

Delivered through various social engineering techniques, upon installation the Cleafy app would ask users to accept permissions related to SMS and phone calls. 

Once the permissions have been granted, Revive would then redirect users to a cloned page (of the targeted bank) and prompt them to insert their credentials.

These would then be sent to the command and control infrastructure (C2) of the threat actors (TAs), alongside any two-factor authentication (2FA) or one-time password (OTP) codes sent via SMS or phone call by banks.

Finally, Revive would redirect victims to a generic home page with links to the legitimate bank website to avoid alarming users.

An initial analysis of Revive’s code showed that both of the samples obtained by Cleafy currently have a very low detection rate by Antivirus solutions (AVs), possibly because they are still under development.

In terms of similarities with existing malware, the security researchers said the malicious actors behind Revive took inspiration from open-source spyware called ‘Teardroid’ since both tools appear to be based on FastAPI, a Web framework for developing RESTful APIs in Python, and sections of the code of both malware instances seem to be similar. 

However, the threat actors behind Revive would have then modified it to perform account takeover attacks (ATO). Because of this difference, Cleafy classified Revive as a banking trojan and not simply spyware.

The discovery of Revive comes days after Cleafy upgraded the classification of the BRATA Android malware group to advanced persistent threat (APT).

What’s Hot on Infosecurity Magazine?