Asacub history: from spyware to malware
Recently, security personnel on mobile banking Trojan Trojan-Banker.AndroidOS.Asacub for in-depth analysis, found that the malicious function with the version of the change continues to increase.
Earlier versions
The trojan was first detected in early June 2015 and features similar to spyware. Early Asacub Trojans steal all text messages and upload them to malicious servers. They receive and execute the following commands on the C & C Server:
1. get_history: Upload the browser history to the server
2. get_contacts: Upload the mobile phone address book to the server
3. get_listapp: Upload the list of installed applications to the server
4. block_phone: Disable the mobile phone screen
5. send_sms: Send specific text to a specified number
Evolutionary version
The new version of Asacub was found in middle July 2015. This version uses the logo of the European Bank on the interface, while the earlier version mainly uses the logo of the American Bank.
C & C server commands are also added:
1. get_sms: Upload all text messages to the server
2. del_sms: Delete the specified SMS.
3. set_time: set a new time interval for the C & C link
4. get_time: Specifies the C & C link upload interval.
5. mute_vol: Set the phone to mute
6. start_alarm: Enable the Mobile Phone mode. When the mobile phone is in the white screen status, the processor can continue to work.
7. stop_alarm: Disable Mobile Phone mode
8. block_phone: Disable mobile phone screen
9. rev_shell: allows attackers to remotely execute commands on the device.
10. intercept_start: Enable the SMS interception mode.
11. intercept_stop: Disable the SMS interception mode.
There is a special command: rev_shell. When the command is received, Asacub connects the remote server to the console of the infected device to facilitate attackers to execute commands on the device and view the output of these commands. This function is a typical backdoor function, which is rarely seen in banking malware because the latter is primarily intended to make profits rather than to control devices.
The latest version of Asacub found in September 2015 focuses more on stealing bank information. Previous versions only use the bank logo, but many phishing interfaces using the bank logo have been found in recent versions.
Phishing Interface
The code corresponding to the interface is "ActivityVTB24", which is similar to the name of a large Russian bank, and the text corresponding to the interface is the Ukrainian bank Privat24.
As we all know, the phishing interface began to appear in Versions later than September, but it was only used on the bank card input interface. This means that attackers only attack the users they mimic in the bank. After the software is started, it starts to steal all text messages. You can also execute the following command:
1. get_history: Upload the browser history to the server
2. get_contacts: Upload the mobile phone address book to the server
3. get_cc: The phishing interface is displayed to obtain bank card information.
4. get_listapp: Upload the list of installed applications to the server
5. change_redir: Enable call transfer to a specified number.
6. block_phone: Disable the mobile phone screen
7. send_ussd: run the specified USSD request.
8. update: download and install the file with the specified Link
9. send_sms: Send specific text to a specified number
Latest Version
At the end of 2015, researchers discovered a new version of Asacub, which can execute the following new commands:
1. GPS_track_current: obtains the coordinates of the device and sends them to the attacker.
2. camera_shot: using a camera
3. network_protocol: no operation corresponding to the command is found, but the protocol for interaction between malware and the C & C server may be changed in the future.
This version does not update the phishing interface, but the code still involves the bank. It tries to shut down the official software for a Ukrainian bank.
Disable code for official software
Summary
Although we have not been affected by the Asacub attack, the Trojan's theft of the Bank of America logo is a warning: the Asacub Trojan is developing rapidly and new malicious functions may be activated at any time. This means that all mobile phone users may become the next victim. It is recommended that security vendors provide users with a security solution for this malware.
Recently, security personnel on mobile banking Trojan Trojan-Banker.AndroidOS.Asacub for in-depth analysis, found that the malicious function with the version of the change continues to increase.
Earlier versions
The trojan was first detected in early June 2015 and features similar to spyware. Early Asacub Trojans steal all text messages and upload them to malicious servers. They receive and execute the following commands on the C & C Server:
1. get_history: Upload the browser history to the server
2. get_contacts: Upload the mobile phone address book to the server
3. get_listapp: Upload the list of installed applications to the server
4. block_phone: Disable the mobile phone screen
5. send_sms: Send specific text to a specified number
Evolutionary version
The new version of Asacub was found in middle July 2015. This version uses the logo of the European Bank on the interface, while the earlier version mainly uses the logo of the American Bank.
C & C server commands are also added:
1. get_sms: Upload all text messages to the server
2. del_sms: Delete the specified SMS.
3. set_time: set a new time interval for the C & C link
4. get_time: Specifies the C & C link upload interval.
5. mute_vol: Set the phone to mute
6. start_alarm: Enable the Mobile Phone mode. When the mobile phone is in the white screen status, the processor can continue to work.
7. stop_alarm: Disable Mobile Phone mode
8. block_phone: Disable mobile phone screen
9. rev_shell: allows attackers to remotely execute commands on the device.
10. intercept_start: Enable the SMS interception mode.
11. intercept_stop: Disable the SMS interception mode.
There is a special command: rev_shell. When the command is received, Asacub connects the remote server to the console of the infected device to facilitate attackers to execute commands on the device and view the output of these commands. This function is a typical backdoor function, which is rarely seen in banking malware because the latter is primarily intended to make profits rather than to control devices.
The latest version of Asacub found in September 2015 focuses more on stealing bank information. Previous versions only use the bank logo, but many phishing interfaces using the bank logo have been found in recent versions.
Phishing Interface
The code corresponding to the interface is "ActivityVTB24", which is similar to the name of a large Russian bank, and the text corresponding to the interface is the Ukrainian bank Privat24.
As we all know, the phishing interface began to appear in Versions later than September, but it was only used on the bank card input interface. This means that attackers only attack the users they mimic in the bank. After the software is started, it starts to steal all text messages. You can also execute the following command:
1. get_history: Upload the browser history to the server
2. get_contacts: Upload the mobile phone address book to the server
3. get_cc: The phishing interface is displayed to obtain bank card information.
4. get_listapp: Upload the list of installed applications to the server
5. change_redir: Enable call transfer to a specified number.
6. block_phone: Disable the mobile phone screen
7. send_ussd: run the specified USSD request.
8. update: download and install the file with the specified Link
9. send_sms: Send specific text to a specified number
Latest Version
At the end of 2015, researchers discovered a new version of Asacub, which can execute the following new commands:
1. GPS_track_current: obtains the coordinates of the device and sends them to the attacker.
2. camera_shot: using a camera
3. network_protocol: no operation corresponding to the command is found, but the protocol for interaction between malware and the C & C server may be changed in the future.
This version does not update the phishing interface, but the code still involves the bank. It tries to shut down the official software for a Ukrainian bank.
Disable code for official software
Summary
Although we have not been affected by the Asacub attack, the Trojan's theft of the Bank of America logo is a warning: the Asacub Trojan is developing rapidly and new malicious functions may be activated at any time. This means that all mobile phone users may become the next victim. It is recommended that security vendors provide users with a security solution for this malware.