Asacub Hybrid Banking-Spyware Trojan Skyrockets in Usage

Written by

The Kaspersky Lab Anti-Malware Research team has discovered a spike in the use of Asacub, a malware that targets Android users for financial gain.

While the Trojan has been around for at least six months, for some time, the company’s threat detection systems found almost no sign of active Asacub campaigns until the end of 2015. But now, within just one week, Kaspersky Lab has identified more than 6,500 attempts to infect users.

That makes it one of the five most popular mobile Trojans, and the most popular Trojan-banker to date.

This baddie is a hybrid of sorts: The first version of the Asacub Trojan, discovered in June of 2015, was capable of stealing contact lists, browser history and list of installed apps, sending SMS messages and also blocking the screen of an infected device—generally speaking, these are all standard functions for a typical information-stealing Trojan.

However, more recently, Kaspersky Lab experts discovered several new versions of the Asacub Trojan, showing that it had transformed into a tool for stealing money. For example, the new version included phishing pages that could mimic log-in pages of banking applications.

“These new versions also contained a new set of functions including call redirection and the ability to send USSD requests (a special service for interactive non-voice and non-SMS communications between the user and cellular provider), which made Asacub a very powerful tool for financial fraud,” Kaspersky said.

Also, at first it looked like Asacub was targeting only Russian-speaking users, because the modifications contained fake log-in pages of Russian and Ukrainian banks. After further investigation, Kaspersky Lab experts found a modification with fake pages of a large US bank.

It also turns out that the Asacub malware has connections to criminals with links to a Windows-based spyware called CoreBot.

“The domain used by Asacub’s Command & Control center is registered to the same person as tens of domains that were used by CoreBot,” said Roman Unuchek, senior malware analyst at Kaspersky Lab USA, in an analysis. “It is therefore highly likely that these two types of malware are being developed or used by the same gang, who see huge value and criminal gain in exploiting mobile banking users.”

With millions of people worldwide using their smartphones to pay for goods and services, 2015 saw the first mobile banking Trojan enter the top 10 most-prevalent malicious programs targeting finances.

“Based on current trends, we can assume that in 2016, the development and prevalence of mobile banking malware will continue to grow and account for an even greater share of malware attacks,” said Unuchek. “Consumers need to be extra-vigilant to ensure they don’t become the next victim.”

Photo © OneSmallSquare

What’s hot on Infosecurity Magazine?