Additional analysis by Joachim Capiral
Mobile banking is now used by more and more users, so it shouldn’t be a surprise to see banking Trojans trying to hit these users as well. We’ve seen spammed mails that pretend to be an update notification for an official PayPal app. These mails ask the user to click on a link to download the update; users in Germany appear to be the target of this spam run based on the language used.
Figure 1. Mail with link to PayPal app update
As is the case with all spam campaigns, multiple IP addresses from different countries spammed this particular mail at its intended German targets. 41% of these senders were in Vietnam, with other countries such as Ukraine, Russia, Brazil and India accounting for the remainder. Some variants of this message were sent more than 14,000 times.
The links in these messages lead to a mobile online banking Trojan that targets various banks and financial institutions. This malicious app is not hosted on the Google Play store. Aside from PayPal, the apps of high-profile European banks are targeted as well. The names of these banks were found in configuration files downloaded by the malicious app. We detect this as AndroidOS_Marchcaban.HBT.
If the user does go ahead and download and install the app, it will first ask the user to make it a “Device Adminstrator”, which would allow the app to act as system administrator. This is a technique that we’ve seen in other Android malware, and is used to render the app invisible and difficult to remove.
It also asks for other permissions such as changing the screen-lock password, setting password rules, locking the screen and encrypting the stored application data – all red flags that this is not a legitimate app, but a malicious one.
Figure 2. Malicious app as installed on the home screen
Figure 3. Malicious app asking for device administrator privileges
Even if the user decides to not grant device administrator privileges, the malicious app will still disappear from the home screen and continue to run in the background. It is also removed from the launcher screen, making it almost impossible to interact with and/or remove.
Figure 4. Code to remove app from the launcher
The background service also monitors phone activity, which means it can detect which app is running. This allows the malicious app to perform UI hijacking.
Figure 5. Code in app to monitor app activity
Once the malware detects the real PayPal app is running, it will put up a fake UI on top of the real one, effectively hijacking the session and stealing the user’s PayPal credentials.
Figure 6. Code in app to perform UI hijacking
The malware also intercepts and filters SMS messages in order to prevent the mobile device user from receiving messages that could clue them in to the app’s existence.
Figure 7. Malicious code to intercept and filter SMS messages
The malware can also make phone calls based on the received commands in the SMS message.
Figure 8. Malicious code to prompt phone call UI based on received commands
Aside from PayPal, the code also targets other banking apps like “Commerzbank”, which is a famous bank in Germany.
Figure 9. Code targeting the Commerzbank app
We have identified more than 200 malicious apps that belong to this particular malware family. They have different app labels, and some of them have nothing to do with banks. Instead they pose as Flash Player apps, games, and even adult apps.
Avoiding infection of this particularly nasty malware is easy enough, here are a couple of tips:
- Never entertain any suspicious emails or spam, especially when they ask you to download something, open something or click something.
- Always download apps from first-party sources or official app stores. By default Android will not allow for apps to be downloaded from any source other than the Google Play store; unless you know what you’re doing you should not change this setting.
- Always check the permissions an app asks for before granting it. If it’s too excessive, or if it places you in doubt, refuse.
- Install a security solution on your mobile device in order to safeguard against malware such as this.