It’s not uncommon for malware to have capabilities that protects itself. This usually consists of routines that help keep it hidden. One particular mobile malware caught our attention with its unique combination that makes its attack stealthy, and it has the capability to locks a user’s device. A similar routine was reported previously in our entry on Operation Emmental in terms of locking the victim’s phone. However, this new malware does so as a failsafe and without the use of external commands.
We acquired a sample of a fake banking app in Russia named Fanta SDK that is capable of changing the phone’s password when the user tries to remove or deactivate the application’s admin privileges. It also has a unique way of running its routine by waiting for certain commands before it launches its attack.
Users can get Fanta SDK from malicious url links for benign app like “system”, as well as downloading them from third party app stores. The message would contain a narrative that would ask users to download the latest version of the banking app immediately for security reasons.
Figure 1. Old Sberbank of Russia app (left) and the current logo also used by the fake app (right)
This app only activates if the user has the original Sberbank app installed in their phone and not on multiple banking apps. The malware also runs on all Android versions. Once the app has been installed, it will wait for users to go to the phone settings menu, then asks users to run the app with admin privileges. Keep in mind that most legitimate apps do not request admin privileges. This is a common red flag users should catch early when dealing with mobile malware. When a user does allow the app admin privileges, the bank’s welcome page pops up and asks the user for their user ID and password.
The fake bank app’s welcome page showcases the current flat logo of Sberbank of Russia, which adds to its claim of legitimacy. Once the user inputs their credentials, the app communicates with hxxp://sook[.]ml as a source domain and uploads the user’s contact number and phone information.
After the initial log-in, the official app runs normally. However, with these credentials, the cybercriminal can now steal money silently in the background.
Figure 2. Stealing money in the background
Figure 3. Intercepting SMS messages
When users do realize that the app is malicious, they may try to uninstall the app. They won’t be able to do this unless they remove the admin privileges. When the user does so, the malware changes the phone’s password, locking users out of their mobile units.
It is not easy for users to unlock the device if the code is set by the malware. One possible way is to delete the password key file under ADB shell. But this requires the device is rooted and USB debug is enabled. However, rooting a device is rare in real life for the following reasons:
- Few, if any, android devices are rooted out of the box
- Not all android devices can be rooted
- Rooting a devices unit breaks warranty
When the above mentioned conditions are met, the user can connect the phone unit to a computer via USB cable, and type the following ADB commands:
- adb shell
- rm /data/system/password.key
One more noteworthy routine that Fanta SDK has is that it also affects the Google Play Store app. If a unit infected with Fanta SDK tries to run Google Play Store, Fanta SDK closes the app and launches a fake Google Play Store page with an ad claiming the user has won an iPhone 6 and that it asks for the user’s bank card number and password.
Fanta SDK has been evolving rapidly over the past few months. Since its release early December last year, the writer behind Fanta SDK has added more and more routines overtime. Here is a summary of the malware’s recent changes:
|Version||First Appearance||Package Name
Bank account phishing through fake Google Play Store page, c&c communication, SMS and contact stealing
|1.1||2015-12-29||com.googie.system||220.127.116.11:3000||C2C communication optimization|
|2.1||2016-02-04||com.fanta.services||18.104.22.168:3000||Ransom command added|
Phishing pages pop up when users open official Google Play store app or Sberbank app, acquire device admin when clicking settings
|2.3||2016-04-13||com.fanta.services||22.214.171.124:3000||Device admin protection with screen locking routine|
Further investigation of the C&C server led us to the IP address 126.96.36.199. The IP address was a parking domain, hosting several other malware including ransomware, RAMNIT, CRIDEX, and ZBOT. We are still investigating this domain in hopes to find a link between the perpetrators behind the fake bank app and the other malware distributed in the IP address.
According to our research, the latest Sberbank app can detect malware while the old versions do not. We have already contacted Sberbank of Russia with regards to this issue.
We urge users of this app to update or download the latest version in the bank’s main website. Users should also always refrain from tapping on links coming from spam or unknown SMS numbers. If a bank or credit provider requests that users download a new version of an app, do so securely by downloading the app on the main website.
The SHA1 hashes related to this threat can be found in this appendix.
With additional insights from Kenny Ye and Shawn Xing.
Update as of June 19, 2016, 8:30 PM (UTC -7)
We updated this entry to revise the descriptions of the bank’s logo and interface. The Sberbank logo that uses the flat icon is the current version, not the old one as previously reported.