FakeBank

FakeBank is an Android Trojan first discovered in 2013 that opens a backdoor and steals information from the compromised device. The Trojan loads onto the victim's device masquerading as a Google Play Store application and requests unnecessary permissions, including: 

  • write to external storage devices, 
  • mount and unmount file systems for removable storage, 
  • monitor, read, and send SMS messages, 
  • install shortcuts, 
  • open network connections, and 
  • read contact data. 

Once installed, FakeBank checks to see if certain online banking applications are installed. If any are discovered, the Trojan deletes the legitimate app and installs a malicious version. In March of this year, FakeBank was updated to include the additional function of call-barring, preventing victims from using their infected devices to cancel payment cards and alert their banks about possible fraud. The Trojan registers a BroadcastReceiver component that alerts every time the victim attempts an outgoing call. If the number belongs to one a known phone number of a bank's customer service center, the malware cancels the call. Currently, the call-barring feature of FakeBank only impacts customers of Russian and South Korean banks. 

Reporting 

  • November 2016: FakeBank is spreading on Android devices disguised as a one-time password generator app used for banking applications. Perpetrators can steal victim’s banking credentials and take over their phones by installing the TeamViewer QuickSupport app. (Neurogadget)
     
  • November 2016: The Trojan use a mechanism to bypass Android’s Doze function — a whitelist of applications permitted to function int he phone’s background when the device is in sleep mode — in order to stay connected to its command and control (C2) servers and continue its malicious activities. (BleepingComputer)
     
  • July 2016: Call-barring functionality added. (Symantec

Technical Details 

  • Symantec provides technical details on the FakeBank Trojan, available here.
 

Image Source: AVG