How Android Trojans steal users' mobile banking

How Android Trojans steal users' mobile banking

Mobile banking is a very convenient way for users to complete transactions anytime and anywhere. KPMG predicts that mobile banking users will grow to 2019 in 0.18 billion. However, as the amount of money involved in mobile banking grows, attackers need to find more creative ways to steal money.

Just last week, the Bank Association of Singapore (ABS) announced that the number of mobile banking malware infected with Android smartphones has increased significantly. We are very interested in studying this emerging threat in depth, and then we discovered an Android malware target for the mobile banking app, So we conducted further research on it.

Install

This kind of mobile malware uses other malware-an independent app or a user logging on to a malicious website to download updates they do not know to enter the user's mobile phone.

So far, we have named all the masked samples as fake Adobe Flash Player. This name is not surprising, we all know the stem of "Adobe Flash Player" (This product has been exposed to many vulnerabilities this year, as well as 0-day vulnerabilities, which everyone knows ). Adobe Flash Player requires more permissions than common applications of the same type (in fact, Android does not support it in some cases ). The most striking permission for Player is to be activated as a device administrator, that is, the highest permission for Android, which is easily manipulated by malware. In essence, the device administrator privilege grants the malware the right to prohibit users from forcibly stopping and uninstalling the app. Its process determines that it is very difficult to remove it.

 

Figure 1: installation, license, and device Administrator

 

Figure 2: malware requires device administrator privileges

Deep understanding of malicious code

Trojan configuration data

As shown in, malware retrieves and decodes its configuration file, which is Base64 encoded and parsed using "@". Therefore, it can be stored in arrays.

 

Figure 3: Code retrieval configuration file

The decoded Base64 configuration data shows its C & C server, target application, bank list, C & C command, and so on.

 

Figure 4: configuration data decoded by Base 64

Whenever a malware needs specific data, it can be searched by hard-coded integer values of the index as an array. As shown in the following code, the integer 14 and 46 point to the index of the configuration array with the "type" and "device info" values. We can also see the C & C server and the code value as the infected device identifier to respond.

 

Figure 5: Configure Indexes

Let's take a look at the list file, and then we can quickly find out what the sample wants to do. We are very certain about the target of this malware, as we mentioned earlier, for mobile banking and mobile payment users. The following is the configuration file:

 

Figure 6: Android list

This malware can be used to create fake bank windows for phishing to obtain the bank information of the victim, such as the credit card account, Bill address, bank username, PIN, and password.

Is a list of targeted banking and payment services based on our samples:

 

Figure 7: Target bank and Target payment service

Next, let's take a look at the core functions and main operations of malware, especially the series of data theft activities.

Phishing skills

When the victim opens a valid mobile bank or payment app, the malware simultaneously opens the counterfeit bank window, and then overlays the two windows, it is difficult for users to find a new window opened through the interface. The counterfeit window is very similar to the native window. However, users can find their differences when they click other functions, such as editing or menu functions on the screen. Here, fake interfaces do not respond, because fake user interfaces cannot implement these functions.

 

Figure 8: forged banking interface

Click More to view the two logon pages-the first is a legal application, and the second is a forged Adobe Flash Player.

 

Figure 9: multi-task View

Some examples of phishing windows are similar to the following:

 

Figure 10: Bank phishing window

 

Figure 11: Credit card phishing window

Collect logon creden

As mentioned above, the most important part is to persuade victims to enter their forged login interface for information verification. Therefore, the first thing malware needs to do is determine which company the user is using and what the bank interface looks like.

Malware regularly checks apps running on the device and uses getPackageName () the API calls to retrieve the application-related interface name and then compares the returned parameters from this API with the list of the following target application names:

Financial applications:

com.commbank.netbankcom.cba.android.netbankau.com.nab.mobileorg.westpac.bankorg.stgeorge.bankcom.anz.android.gomoneynz.co.kiwibank.mobilenz.co.westpacnz.co.bnz.droidbankingnz.co.anz.android.mobilebankingde.dkb.portalappdk.bec.android.mb1.b00037.prodcom.hangseng.servicemenuappcom.scb.breezebanking.hkcom.citibank.mobile.hkat.bawag.mbankingat.erstebank.georgeat.spardat.netbankingcom.bankaustria.android.olbcom.dbscom.posbcom.ocbc.mobilecom.uob.mobilecom.paypal.android.p2pmobilecom.isis_papyrus.raiffeisen_pay_eyewdgcom.bbva.bbvacontigoes.bancosantander.appsSocial and communication applicationcom.android.vendingcom.google.android.musiccom.whatsappcom.viber.voipcom.instagram.androidcom.skype.raidercom.google.android.gm

 

Figure 12: Get the package name of the running process

If a matched application is found to be running on an infected device, the response class will display a counterfeit login page.

 

Figure 13: Traffic displayed on the forged login page

The video below explains how users' online banking creden。 are stolen when their mobile phones are infected. I hope this video on real attacks will give you some inspiration:

Video 1: DBS phishing scenarios

You can see from this video that when a real DBS application is triggered, the victim will see a fake DBS logon screen. Then you can see that the victim is asked to enter the logon interface twice. Next, the victim is redirected to a valid DBS application GUI.

The access creden intercepted on the fake logon interface will be sent to the C & C server by malware:

 

Figure 14: sending stolen creden14

Intercept one-time password (OTP)

Banks often send text messages as one-time passwords (OTP) to users as logon creden other than user IDs and passwords. Attackers need to access the victim's device to obtain the permission to access OTP to obtain the OTP.

Malware registers itself as the SMS broadcast receiver of the Android operating system to complete OTP acquisition. In this theory, as long as the victim has granted the appropriate execution permissions for the software during installation, the malware can easily complete this task, this type of permission is explicitly stated in the list file. Therefore, all received SMS messages can be easily hijacked, And the SMS content can be sent to the attacker's C & C server.

 

Figure 15: intercept all received SMS messages

Persistence Mechanism

We are also interested in learning how the persistence mechanism of malware works. Under the table in the list, we quickly locate the endpoint of the persistence mechanism-android. intent. action. BOOT_COMPLETED and android. intent. action. ACTION_EXTERNAL_APPLICATIONS_AVAILABLE. However, the analysis of decompilation source code is not a simple task, because attackers fuzzy process the java code. The good news is that fuzzy code can be easily identified, because only a small portion of the spam code is mixed with the actual code.

After clearing the spam code in the Service Starter code, we realized that malware seemed to have avoided Russian users. This may indicate that the malicious code is from Russia.

 

Figure 16: the configuration file displays the Starting Point class name of the persistence mechanism.

 

Figure 17: The receiving function is enabled when the mobile phone is started.

 

Figure 18: create a service processing function called from the receiver

As shown in Figure 18, malware discards the hidden files in the SD card that uses hard-coded file names.

 

Figure 19: original configuration data for saving the file to the SD card

Conclusion

Most Android malware apps are not automatically installed-they require user involvement to infect devices. So if you want to keep your device secure, you need to be vigilant when downloading and updating applications. It is wise to download applications from a secure and trusted source such as the Google Play Store.

Even so, malicious software writers will also improve their phishing capabilities, allowing users to download and update malware that looks like legitimate apps. Installing security software helps protect users' personal data and online transaction data on devices.

Actively detect malware, such as Android/Acecard. B! The tr, C, and C servers are monitored as Android. Acecard.

Fortiguard Lion Team

Related MD5 hash:

76745ce873b151cfd7260e182cbfd404702770d70c7aab793ffd6a107fd08dadeeab2f9137c59efdfae5db2b2b93f178d08b2f4d851b2505f4aed31ecfa53c2ea7e28a9efc8a6acb02d65829a6d773c2

List of C & C servers:

http://37.235.48.177:34580http://46.108.39.12:34580http://5.196.243.6:34580http://31.148.219.192:34580

STIX xml reports: https://github.com/fortiguard-lion/AceCard/blob/master/acecard.xml

How to delete malware

Step 1: Set your mobile phone or tablet to safe mode. Press and hold the cell phone power key to know that the cell phone prompts you to shut down. Next, click and hold the power off until the phone prompts you to restart to safe mode, and then click OK. If your device has no translation, you can click "how to enter safe mode for your mobile phone model" on Baidu ".

 

Figure 20: Bring your mobile phone to safe Mode

Step 2: In security mode, open the settings menu and slide to the security options. View the column named "device administrator" and click to enter. Now it displays the Administrator list of the device. Remove it as a device administrator and disable the malicious software app Adobe Flash Player as the device administrator.

 

Figure 21: Find the application registered as the device administrator.

Step 3: Go to settings, and scroll to the application to ensure that the download option is available. Click the malicious software app Adobe Flash Player, open the app info (app information), click uninstall (uninstall), and then confirm.

 

Figure 22: uninstalling a bank Trojan

Step 4: restart your phone in Normal Mode

More instructions on how to find malware

By using an adb third-party application such as file management or android SDK, you can browse additional storage information, such as the SD card, and then you can view hidden files (Add. Before the file name .). Then you can view each hidden file and find a file name similar to the one shown in Figure 19.

View any unknown or unseen applications from the device administrator list, as shown in Figure 21.

Small message

Small make up is fruit powder! Because Apple's iOS is more secure, there are too many Android versions and different models, each of which has a different mechanism, which gives hackers more opportunities. How can we protect our privacy from infringement? Will our money be stolen? Is our life unaffected? Regularly checks updates and updates the system in a timely manner; does not use root permissions or lock root permissions; Regularly Prevents viruses; checks 2cto on time to learn about the latest vulnerability information, and checks whether your mobile phone is infected with viruses; during payment, you should not be eager to take care of it quickly. You must be careful to avoid giving criminals the opportunity.