Asacub

The Asacub Android banking Trojan was first identified in by Kaspersky Lab in June 2015 and was prevalent in attacks against Android devices into 2016. When it was first discovered, it was a simple phishing program managed remotely from a command and control server. Once it was installed, Asacub sent information, including a list of apps, the browser history, and contact lists to a remote C2. It could also send SMS messages to certain phone numbers and turn off the screen on demand. As Asacub evolved, new versions had increased capabilities. It could intercept or delete SMS messages, upload the device’s SMS history to a remote server, mute the device, keep the CPU in an active state, and provide console access. The Trojan added more functionality, employing phishing screens for certain mobile banking apps to steal credit card data, forward victims’ phone calls to a designated phone number, send USSD requests, and download and run files from malicious URLs. At the end of 2015 into 2016, the number of attacks using Asacub greatly increased. The Trojan can steal data, forward calls, take photos, and install other malware, including ransomware, onto infected Android devices. The NJCCIC recommends using a robust antivirus application to protect against Asacub and similar threats.

Reporting

  • February 2017: Kaspersky Lab attributes the spike in mobile malware to key developments, including attackers distributing the Asacub Trojan via SMS. (Kaspersky Lab)

Technical Details

  • Kaspersky Lab provides technical details on the Asacub Android banking Trojan, here.
One example of the Asacub variant. Image Source: Securelist

One example of the Asacub variant. Image Source: Securelist