By Kevin Sun
The Android-targeting BankBot malware (all variants detected by Trend Micro as ANDROIDOS_BANKBOT) first surfaced January of this year and is reportedly the improved version of an unnamed open source banking malware that was leaked in an underground hacking forum. BankBot is particularly risky because it disguises itself as legitimate banking apps, typically using fake overlay screens to mimic existing banking apps and steal user credentials. BankBot is also capable of hijacking and intercepting SMS messages, which means that it can bypass SMS-based 2-factor authentication.
Throughout the year, Bankbot has been distributed as benign apps, some of which made their way onto popular app stores. In April and July of 2017, Bankbot-infected apps were detected posing as entertainment and online banking apps on Google Play. More than twenty were found and exposed during the said months.
Recently we found five new Bankbot apps, four of which made their way into the Google Play Store disguised as utility apps. Two of these were removed immediately, while the other two were made available long enough to be downloaded by a few users. One particular BankBot app was downloaded 5000-10000 times.
This newer BankBot variant targets legitimate apps from banks based in 27 different countries. Also, the total number of targeted apps increased from 150 to 160. Ten United Arab Emirates (UAE) banking apps were added to the list.
The latest version of BankBot will only work if the device meets three conditions:
- The running environment is a real device
- The location of the device is not in Commonwealth of Independent States (CIS) countries
- An app of a targeted bank is installed on the device
New BankBot details and analysis
When BankBot is installed and running, it will check the package information of apps installed on the infected device. If one of the target bank apps is available, BankBot will connect to its C&C server and upload the target’s package name and label. The C&C server will send a URL to BankBot so it can download the library that contains files used for the overlay webpage. This overly page is displayed on top of the legitimate banking app and used to steal the user’s credentials.
After BankBot downloads the library from the URL, it will unpack to the APK directory (/data/data/packagename/files). Below is the code showing BankBot’s ‘send list’ of installed banking apps:
{
“mod”: “Motorola Nexus 6”,
“vers”: “5.1.1”,
“app”: “sky_flash”,
“fire”: “cODqrG8XK04:APA91bGYbM7U2KI2f_f9zI0OL6Lc5a-vkNhNot9uEptDfhNCHbp05ONceCeV-HPk2F1tZA0zZ-S3YbptAq6V4Nnfl1GXe7g19ofWK-Wi9lD0N3qZf7nBJEptQOVs33WO8i3eCpOSrVbR”,
“dr”: “4506126840cc9bf9”,
“loc”: “US”,
“app5”: {
“%Android application Package Name1%”: “%targeted bank1%”,
“%Android application Package Name2%”: “%targeted bank2%”,
“%Android application Package Name3%”: “%targeted bank3%”
}
Figure 1. C&C response with library URL
The C&C server will acknowledge the download with the message “success” an hour after it happens. The delay could either be a strategy the malware uses to avoid antivirus sandbox detection, or it is simply busy generating fake overlay webpages for the device token.
When the server is ready, or when it finishes preparing the webpages, it will send another URL to BankBot to get fake webpage data.
Figure 2. BankBot downloading overlay webpage
After the webpage is downloaded, Bankbot monitors the device for the launch of the target banking application and will display the overlay webpage on top of the banking application screen when the app runs. The overlay will make victims think they are using their usual banking app, tricking them into entering their credentials on BankBot’s fake webpage.
BankBot shows unique behavior for UAE targets
When targeting UAE banking apps, this newer variant of BankBot includes an additional step. Instead of showing the fake overlay page directly, BankBot will prompt the user to enter their phone number. Then the C&C server will send a pin code to the victim via Firebase Message. After entering the pin, the victim is instructed to input bank details. Next, BankBot will show an “error screen” (even if bank information is correct) and ask for the details again.
Figure 3. Fake Emirates banking app screen
Details below provide a step-by-step description of the above images:
- Verification prompt
- Input phone number
- Input pin code from C&C
- Input account credentials
- Error message
- Input account details again
- Usual operations
Apparently, the author of BankBot wants to verify the banking details of their victims. They ask for the details twice, just in case users input it incorrectly at first. BankBot will send the stolen data to the C&C server only after account information is entered twice.
Figure 4. BankBot app on Google Play Store
BankBot seems to be widening its reach and experimenting with new techniques—which is a mounting concern because banking apps are growing more ubiquitous. According to a recent study, mobile banking users in the Middle East and Africa will exceed 80 million by 2017, while another report by ArabNet shows that users from UAE have the second highest rate of mobile banking adoption in MENA. As more people adopt this technology, the apps become attractive targets for cybercriminals.
To combat this threat, users should observe proper mobile safety and online account practices. Any device holding banking accounts should also be protected with effective and multilayered security. Users can strengthen their defenses with comprehensive antivirus solutions like Trend Micro™ Mobile Security for Android™ (available on Google Play) blocks threats from app stores before they can be installed and cause damage to devices. Trend Micro’s Mobile App Reputation Service (MARS) already covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise
Files with the following hashes are associated with this threat:
- 4D417C850C114F2791E839D47566500971668C41C47E290C8D7AEFADDC62F84C
- 6FD52E78902ED225647AFB87EB1E533412505B97A82EAA7CC9BA30BE6E658C0E
- AE0C7562F50E640B81646B3553EB0A6381DAC66D015BAA0FA95E136D2DC855F7
- CF46FDC278DC9D29C66E40352340717B841EAF447F4BEDDF33A2A21678B64138
- DE2367C1DCD67C97FCF085C58C15B9A3311E61C122649A53DEF31FB689E1356F
Updated September 15, 2017 3:45 AM
Some sentences modified to clarify technical concepts.
