BankBot/Spy Banker

BankBot, as it is known by Dr. Web, and Spy Banker, as it is known by ESET, is an Android Trojan that malware authors developed after using the leaked source code of another unnamed Android banking Trojan in December 2016. Dr. Web researchers discovered the first campaign targeting Russian banks. The Trojan masquerades as legitimate mobile applications, such as Google apps displaying the Google Play Store icon. Once downloaded, Bankbot deletes its icon from the home screen and runs quietly in the background until the user opens a mobile banking or social media app. Next, it displays a fake login overlay, requesting the user to re-authenticate or re-enter payment details for various mobile applications including, but not limited to: Facebook, Viber, Youtube, WhatsApp, Snapchat, WeChat, imo, Instagram, Twitter, and the Google Play Store. Then, it collects the data and sends it to online servers to be organized neatly into a table that is accessible by the attacker. Once the payment details are exfiltrated, the attacker can initiate banking transactions. BankBot can intercept and delete SMS messages to prevent victims from receiving any notifications from their banks. The Trojan can also send SMS and USSD requests, obtain victims’ contact lists, track victims’ GPS locations, and request additional permissions via popups for the latest Android OS versions.

In February 2017, ESET researchers discovered a second campaign in which, what they refer to as “Spy Banker,” was embedded in a Trojanized version of the otherwise legitimate “Good Weather” app. It infiltrated the Google Play Store on February 4, 2017 but was removed two days later after researchers at ESET notified Google; however, during this time, it was installed on approximately 5000 user devices. The app allows remote attackers to lock and unlock the device and intercept SMS messages. After the app is installed, the app icon disappears and displays a fake system screen requesting device administrator rights on behalf of a fake “system update.” If the victim enables these rights, the malware can change the screen-unlock password and lock the screen. The malware shares device information with its C2 server and receives commands, including those directing it to harvest banking credentials. It then displays a fake login screen from one of the targeted banking apps and sends the intercepted data to the attacker. It targeted the users of 22 Turkish mobile banking apps, whose credentials were harvested using fake login forms. Additionally, with the ability to intercept the victim’s text messages, the attackers can bypass user’s two-factor enabled accounts and lock the infected device’s screen while conducting malicious activity in the background.

ESET discovered a third campaign, very similar to the second, in which the malware cloned the legitimate app, “Global Weather,” displayed as “Weather.” The malware is configured to target mobile apps of 69 banks from Austria, Germany, Turkey, and the United Kingdom. It shows notifications luring users into accessing their mobile apps, then displays a fake login screen. The malware has the capability to lock the user’s device and intercept SMS messages for the ability to bypass two-factor authentication.

According to ESET researchers, the malware’s backend features different version numbers for the three campaigns: versions 1.0, 1.1, and 1.2. It is currently unknown if the same actors are behind all three campaigns. To protect against similar threats, do not grant apps permissions beyond those necessary for the app to do its intended function, and avoid side-loading apps from unofficial app stores.

Reporting

  • January 2017: Android banking Trojan Source Code Leaked Online, Leads to New Variation, BankBot. (BleepingComputer)
  • February 2017: Malware used to create malicious “Good Weather” app found in Google Play store. (ESET)
  • February 2017: New variant masquerading as another legitimate weather app, “World Weather.” (ESET)
  • April 2017: Targeting apps of over 400 financial institutions globally as well as popular online payment apps, such as PayPal. The malicious actors have repeatedly succeeded in making the trojanized apps available on the Google Play Store, bypassing its security protections. (Helpnet Security)
  • July 2017: 20 more BankBot mobile malware apps make it into Google Play Store. (Security Intelligence)
  • August 2017: The "Earn Real Money Gift Cards" application, available in the Google Play Store, is infected with the BankBot malware. (Zscaler)
  • September 2017: BankBot found on Google Play targeting ten new UAE banking apps. (Trend Micro)
  • November 2017: BankBot found in flashlight and solitaire apps, targeting the banking apps of Wells Fargo, Chase, and Citibank. (Avast)

Technical Details

  • Dr. Web provides technical details of the BankBot Android banking Trojan, here.
  • ESET researchers provide technical details on the Spy Banker malware, here.