BankBot, as it is known by Dr. Web, and Spy Banker, as it is known by ESET, is an Android Trojan that malware authors developed after using the leaked source code of another unnamed Android banking Trojan in December 2016. Dr. Web researchers discovered the first campaign targeting Russian banks. The Trojan masquerades as legitimate mobile applications, such as Google apps displaying the Google Play Store icon. Once downloaded, Bankbot deletes its icon from the home screen and runs quietly in the background until the user opens a mobile banking or social media app. Next, it displays a fake login overlay, requesting the user to re-authenticate or re-enter payment details for various mobile applications including, but not limited to: Facebook, Viber, Youtube, WhatsApp, Snapchat, WeChat, imo, Instagram, Twitter, and the Google Play Store. Then, it collects the data and sends it to online servers to be organized neatly into a table that is accessible by the attacker. Once the payment details are exfiltrated, the attacker can initiate banking transactions. BankBot can intercept and delete SMS messages to prevent victims from receiving any notifications from their banks. The Trojan can also send SMS and USSD requests, obtain victims’ contact lists, track victims’ GPS locations, and request additional permissions via popups for the latest Android OS versions.
In February 2017, ESET researchers discovered a second campaign in which, what they refer to as “Spy Banker,” was embedded in a Trojanized version of the otherwise legitimate “Good Weather” app. It infiltrated the Google Play Store on February 4, 2017 but was removed two days later after researchers at ESET notified Google; however, during this time, it was installed on approximately 5000 user devices. The app allows remote attackers to lock and unlock the device and intercept SMS messages. After the app is installed, the app icon disappears and displays a fake system screen requesting device administrator rights on behalf of a fake “system update.” If the victim enables these rights, the malware can change the screen-unlock password and lock the screen. The malware shares device information with its C2 server and receives commands, including those directing it to harvest banking credentials. It then displays a fake login screen from one of the targeted banking apps and sends the intercepted data to the attacker. It targeted the users of 22 Turkish mobile banking apps, whose credentials were harvested using fake login forms. Additionally, with the ability to intercept the victim’s text messages, the attackers can bypass user’s two-factor enabled accounts and lock the infected device’s screen while conducting malicious activity in the background.
ESET discovered a third campaign, very similar to the second, in which the malware cloned the legitimate app, “Global Weather,” displayed as “Weather.” The malware is configured to target mobile apps of 69 banks from Austria, Germany, Turkey, and the United Kingdom. It shows notifications luring users into accessing their mobile apps, then displays a fake login screen. The malware has the capability to lock the user’s device and intercept SMS messages for the ability to bypass two-factor authentication.
According to ESET researchers, the malware’s backend features different version numbers for the three campaigns: versions 1.0, 1.1, and 1.2. It is currently unknown if the same actors are behind all three campaigns. To protect against similar threats, do not grant apps permissions beyond those necessary for the app to do its intended function, and avoid side-loading apps from unofficial app stores.
- January 2017: Android banking Trojan Source Code Leaked Online, Leads to New Variation, BankBot. (BleepingComputer)
- February 2017: Malware used to create malicious “Good Weather” app found in Google Play store. (ESET)
- February 2017: New variant masquerading as another legitimate weather app, “World Weather.” (ESET)
- April 2017: Targeting apps of over 400 financial institutions globally as well as popular online payment apps, such as PayPal. The malicious actors have repeatedly succeeded in making the trojanized apps available on the Google Play Store, bypassing its security protections. (Helpnet Security)