Android Banking Trojan BankBot Masquerading as Legitimate Apps in Google Play Store
Security researchers from cybersecurity firms Avast, ESET, and SfyLabs discovered a new version of BankBot masquerading as legitimate mobile applications that were available for download from the Google Play Store as recently as November 17. BankBot, a banking trojan that targets the Android OS, is used by threat actors to obtain login credentials to victims’ financial accounts. Designed to resemble flashlight apps, solitaire game apps, and system cleaning apps, this new version of BankBot initially went undetected by the Google Play Store’s scanners and was downloaded thousands of times before it was removed from the official app store. Once installed on a device, the malicious app attempts to fool the victim into granting it administrative privileges and, if granted, it downloads a payload from its command and control server. If the download is successful, BankBot will generate an overlay every time the victim opens a legitimate banking app. If the victim enters his or her login credentials into the overlay, BankBot sends them to the criminals behind the campaign along with any associated SMS messages containing authentication codes or mobile transaction numbers. While this is not the first time a fraudulent and malicious app has been discovered in an official app store, this campaign highlights the need for additional scrutiny by those who download and review new applications for mobile devices. The NJCCIC recommends all users who downloaded the associated fraudulent apps uninstall them immediately, perform a factory reset of their device, and ensure their mobile device software is up-to-date. We also recommend Android OS mobile device users go into their device settings and disable or disallow the installation of non-market applications. Doing so will protect the device from risky and unintended installations of apps from third-party sources. We also want to remind mobile device users to exercise caution even when downloading apps from official app marketplaces, as they have been increasingly targeted by similar campaigns.