SlemBunk: Android Trojan family targeting Global Bank APP users

SlemBunk: Android Trojan family targeting Global Bank APP users

FireEye's mobile researcher recently discovered a series of Android Trojans, these programs execute a series of malicious behaviors, called "SlemBunk", by imitating valid apps (including 31 banking applications and 2 mobile payment applications) of 33 global financial management institutions and service providers ". Currently, the main impact is in the United States, Europe and Asia Pacific.

The SlemBunk program is disguised as a common and popular application. After the first run, it is hidden in the device. When a user opens a specific bank or similar application, it can perform phishing attacks and collect user certificates. It is certain that the servers that collect information are still active.

Currently, no SlemBunk instance has been found in the Google App Store. Therefore, infected users may copy or download malware from malicious websites. New versions have been found in many pornographic websites. These websites are constantly prompted to require users to download Adobe Flash to watch pornographic videos, while users actually download malware.

According to a comprehensive investigation of SlemBunk, more than 170 samples have been found, which show a series of features and behaviors:

1. customized login interfaces based on a variety of financial management services; 2. running in the background, monitoring processes in progress; 3. Detecting the startup of specific legal applications, intelligently display the corresponding forged login interface; 4. Collect User Certificates and send them to remote NC servers; 5. collect sensitive device information and send it to the NC server, including the phone number, application installation list, device model, and operating system version. 6. receive and execute commands in text messages and network traffic. 7. Continuously infect the device with the administrator privilege.

In addition, based on the comparison with the previous sample, we found that the new version adds more advanced features to support malicious behaviors, including:

The samples are constantly changed by using remote servers. More financial service applications are added to the list, including their logon interfaces and logic. Different Levels of fuzzy mechanisms are used to escape detection.

Technical details

Main Components

When a specific application runs on the front-end, SlemBunk uses the forged login interface to obtain the identity authentication certificate of a financial institution. Shows the main components of SlemBunk.

Main Components of SlemBunk

Is the execution process of malware. When a malware is started for the first time, it activates the registration receiver and then starts the background monitoring process. At the front-end, a counterfeit user interface is displayed, requesting device management permissions. After obtaining the management permission, it will delete its icon from the initiator, but it is still running in the background. When a specific application is detected to be running on the foreground, it uses the response user interface to request an authentication certificate.

 

SlemBunk Workflow

A Service (MainService) That SlemBunk runs in the background for a long time executes a series of tasks. One of them is to query all running processes and check whether there are specific applications. The method used is to match the package name of the currently running application.

Remote Communication

SlemBunk uses a remote communication mechanism to allow the server to direct and control malware. There are two ways to communicate with the remote server:

1. HTTP: In earlier samples, the IP addresses of many remote servers are hard-coded in the source code. In the new version, SlemBunk uses Base64 encoding to defend against reverse engineering. The decoded code snippet.

Decoded code snippet

There are three types of requests sent from the client of malware to the server:

Initial Registration: This request uploads device data to the server and notifies the server that the malware has been successfully installed and run.

Regular status report: This request reports status information to the server, including the status of the monitored and intercepted SMS messages, phone number, and screen lock status. The traffic of the captured process.

Traffic of the Process captured

Phishing data upload: malware uploads the obtained user certificate to the server.

2. SMS: remote servers use text messages to control malware behaviors. For example, "intercept_sms_stop" is to stop text message interception, "intercept_sms_start" is to start interception, and the "lock" command weakens the audio system of the device. The "wipe_data" command will erase all data partitions of the device.

SMS commands and Control

Summary

The development of SlemBunk Trojans fully demonstrates that mobile phone malware has become increasingly complex and targeted and more organized. To protect your information security, you can take the following measures:

1. Do not install unexpected applications in the official app store.

2. Keep the operating system of the device updated at any time.

3. Check the applications running on the background in time if any abnormal behavior is detected on the device.