• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   BankBot Found on Google Play and Targets Ten New UAE Banking Apps

BankBot Found on Google Play and Targets Ten New UAE Banking Apps

  • Posted on:September 13, 2017 at 3:30 am
  • Posted in:Malware, Mobile
  • Author:
    Trend Micro
0

By Kevin Sun

The Android-targeting BankBot malware (all variants detected by Trend Micro as ANDROIDOS_BANKBOT) first surfaced January of this year and is reportedly the improved version of an unnamed open source banking malware that was leaked in an underground hacking forum. BankBot is particularly risky because it disguises itself as legitimate banking apps, typically using fake overlay screens to mimic existing banking apps and steal user credentials. BankBot is also capable of hijacking and intercepting SMS messages, which means that it can bypass SMS-based 2-factor authentication.

Throughout the year, Bankbot has been distributed as benign apps, some of which made their way onto popular app stores. In April and July of 2017, Bankbot-infected apps were detected posing as entertainment and online banking apps on Google Play. More than twenty were found and exposed during the said months.

Recently we found five new Bankbot apps, four of which made their way into the Google Play Store disguised as utility apps. Two of these were removed immediately, while the other two were made available long enough to be downloaded by a few users. One particular BankBot app was downloaded 5000-10000 times.

This newer BankBot variant targets legitimate apps from banks based in 27 different countries. Also, the total number of targeted apps increased from 150 to 160. Ten United Arab Emirates (UAE) banking apps were added to the list.

The latest version of BankBot will only work if the device meets three conditions:

  • The running environment is a real device
  • The location of the device is not in Commonwealth of Independent States (CIS) countries
  • An app of a targeted bank is installed on the device

New BankBot details and analysis

When BankBot is installed and running, it will check the package information of apps installed on the infected device. If one of the target bank apps is available, BankBot will connect to its C&C server and upload the target’s package name and label. The C&C server will send a URL to BankBot so it can download the library that contains files used for the overlay webpage. This overly page is displayed on top of the legitimate banking app and used to steal the user’s credentials.

After BankBot downloads the library from the URL, it will unpack to the APK directory (/data/data/packagename/files). Below is the code showing BankBot’s ‘send list’ of installed banking apps:

{
“mod”: “Motorola Nexus 6”,
“vers”: “5.1.1”,
“app”: “sky_flash”,
“fire”: “cODqrG8XK04:APA91bGYbM7U2KI2f_f9zI0OL6Lc5a-vkNhNot9uEptDfhNCHbp05ONceCeV-HPk2F1tZA0zZ-S3YbptAq6V4Nnfl1GXe7g19ofWK-Wi9lD0N3qZf7nBJEptQOVs33WO8i3eCpOSrVbR”,
“dr”: “4506126840cc9bf9”,
“loc”: “US”,
“app5”: {
“%Android application Package Name1%”: “%targeted bank1%”,
“%Android application Package Name2%”: “%targeted bank2%”,
“%Android application Package Name3%”: “%targeted bank3%”
}

Figure 1. C&C response with library URL

Figure 1. C&C response with library URL

The C&C server will acknowledge the download with the message “success” an hour after it happens. The delay could either be a strategy the malware uses to avoid antivirus sandbox detection, or it is simply busy generating fake overlay webpages for the device token.

When the server is ready, or when it finishes preparing the webpages, it will send another URL to BankBot to get fake webpage data.

Figure 2. BankBot downloading overlay webpage

Figure 2. BankBot downloading overlay webpage

After the webpage is downloaded, Bankbot monitors the device for the launch of the target banking application and will display the overlay webpage on top of the banking application screen when the app runs. The overlay will make victims think they are using their usual banking app, tricking them into entering their credentials on BankBot’s fake webpage.

BankBot shows unique behavior for UAE targets

 When targeting UAE banking apps, this newer variant of BankBot includes an additional step. Instead of showing the fake overlay page directly, BankBot will prompt the user to enter their phone number. Then the C&C server will send a pin code to the victim via Firebase Message. After entering the pin, the victim is instructed to input bank details. Next, BankBot will show an “error screen” (even if bank information is correct) and ask for the details again.

 

Figure 3. Fake Emirates banking app screen

Figure 3. Fake Emirates banking app screen

Figure 3. Fake Emirates banking app screen

Details below provide a step-by-step description of the above images:

  • Verification prompt
  • Input phone number
  • Input pin code from C&C
  • Input account credentials
  • Error message
  • Input account details again
  • Usual operations

Apparently, the author of BankBot wants to verify the banking details of their victims. They ask for the details twice, just in case users input it incorrectly at first. BankBot will send the stolen data to the C&C server only after account information is entered twice.

Figure 4. BankBot app on Google Play Store

Figure 4. BankBot app on Google Play Store

BankBot seems to be widening its reach and experimenting with new techniques—which is a mounting concern because banking apps are growing more ubiquitous. According to a recent study, mobile banking users in the Middle East and Africa will exceed 80 million by 2017, while another report by ArabNet shows that users from UAE have the second highest rate of mobile banking adoption in MENA. As more people adopt this technology, the apps become attractive targets for cybercriminals.

To combat this threat, users should observe proper mobile safety and online account practices. Any device holding banking accounts should also be protected with effective and multilayered security. Users can strengthen their defenses with comprehensive antivirus solutions like Trend Micro™ Mobile Security for Android™ (available on Google Play) blocks threats from app stores before they can be installed and cause damage to devices. Trend Micro’s Mobile App Reputation Service (MARS) already covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Indicators of Compromise

Files with the following hashes are associated with this threat:

  • 4D417C850C114F2791E839D47566500971668C41C47E290C8D7AEFADDC62F84C
  • 6FD52E78902ED225647AFB87EB1E533412505B97A82EAA7CC9BA30BE6E658C0E
  • AE0C7562F50E640B81646B3553EB0A6381DAC66D015BAA0FA95E136D2DC855F7
  • CF46FDC278DC9D29C66E40352340717B841EAF447F4BEDDF33A2A21678B64138
  • DE2367C1DCD67C97FCF085C58C15B9A3311E61C122649A53DEF31FB689E1356F

Updated September 15, 2017 3:45 AM

Some sentences modified to clarify technical concepts.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidbankbotgoogle play

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
  • Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps
  • Mac Backdoor Linked to Lazarus Targets Korean Users

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.