BankBot Resurfaces in Google Play with New Tricks

Written by

BankBot, the dangerous Android banking trojan first uncovered earlier this year, has made its way to Google Play again, disguised as a popular gaming app.

Calling itself Jewels Star Classic—in an effort to be conflated with a legitimate mobile game called simply Jewels Star—the malicious app was installed by up to 5,000 users before being removed from the store by Google.

According to ESET, when the unsuspecting user downloads Jewels Star Classic, they get a functioning Android game—with a banking malware payload lurking inside the game’s resources, and a malicious service waiting to be triggered after a pre-set delay.

The malicious service is triggered after 20 minutes from the first execution of Jewels Star Classic. A pop-up appears, prompting the user to enable something named “Google Service.” After clicking on OK, which is the only way to stop the alert from appearing, the user is taken to the Android Accessibility menu, users see a list of required permissions: Observe your actions, retrieve window content, turn on Explore by Touch, turn on enhanced web accessibility and perform gestures. Clicking on OK grants accessibility permissions to the malware’s own accessibility service.

“By granting these permissions, the user gives the malware a free hand – almost literally – to carry out any tasks it needs to continue its malicious activity,” ESET researchers said, in a posting.

The malware then uses the accessibility permissions to install and launch BankBot, set it as the default SMS messaging app (for capturing two-factor authentication messages) and obtain permission to draw over other apps. From there, BankBot steals the victim’s credit card details.

“In this campaign, the crooks have put together a set of techniques with rising popularity among Android malware authors – abusing Android Accessibility Service, impersonating Google and setting a timer delaying the onset of malicious activity to evade Google’s security measures,” researchers said. “The techniques combined make it very difficult for the victim to recognize the threat in time.”

BankBot has been evolving throughout the year since it was first discovered impersonating hundreds of Google Play apps—it has since resurfaced in different versions both on and outside Google Play.

“The variant we discovered on Google Play on September 4 is the first one to successfully combine the recent steps of BankBot’s evolution: improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service,” researchers said. “Misuse of Android Accessibility has been previously observed in a number of different trojans, mostly outside Google Play. Recent analyses from SfyLabs and Zscaler have confirmed that the crooks spreading BankBot managed to upload an app with the Accessibility-abusing functionality to Google Play, only without the banking malware payload.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

What’s hot on Infosecurity Magazine?