Android malware that targets large German banks by masquerading as an email application and avoids detection from mobile anti-virus software has been discovered by Fortinet’s security team.
By asking for a variety of administrator privileges the trojan horse email app can gain the ability to configure storage encryption and lock the screen.
The malware can also gain the ability to send and receive SMS messages that can help bypass text message based two-step verification if that technique is enabled on an infected Android smartphone.
Breaking mobile banking
Once the malware is installed on an Android device it carries out a trio of tasks. The first and most pertinent feature is the malware’s ability to monitor all the processes on an infected smartphone and detect when a legitimate banking app is launched, which prompts it to overlay a fake banking interface which harvests user’s details.
The feature, dubbed GPService2, also works to hinder mobile anti-virus apps and services, which it does by detecting when such an app is launched which it then checks against an list of anti-virus apps, then if the app is on the list the malware forces the user to return to the home screen to prevent the app or service from being fired up.
GPService2 also acts as the protocol to communicate with the command server being used by a hacker or cyber criminal to pre-load the trojan malware with malicious code payloads, and feedback the stolen data to the command and control server.
The second feature is the FDService, which runs in the background and targets apps contained on a list coded into the trojan, meaning the malware can be tailored to target specific apps once it infects a phone.
Forninet’s IPS Analyst Kai Lu said the trojan the security company discovered had an empty list but speculated it could be tailored by a hacker to target specific apps.
“The author probably intends to add new targeted apps in the future. We speculate that it may also include some popular social media apps. It then prompts the user with a fake google play card screen overlay that resembles the legitimate app when that app is launched,” Lu explained.
Fortinet also discovered a list with 15 German banking apps on it, and noted that future versions of the trojan could be used to target other banks.
The third key feature is the AdminRightsService, which as the name suggests, tricks Android smartphone users to give the trojan a variety of administrative permissions.
Trojans that are targets at banks in specific countries appear to be on the rise, with the Zeus malware aimed at Russian banks and used to target financial transactions in Brazil amidst the Rio 2016 Olympic Games earlier this year.
By asking for a variety of administrator privileges the trojan horse email app can gain the ability to configure storage encryption and lock the screen.
The malware can also gain the ability to send and receive SMS messages that can help bypass text message based two-step verification if that technique is enabled on an infected Android smartphone.
Breaking mobile banking
Once the malware is installed on an Android device it carries out a trio of tasks. The first and most pertinent feature is the malware’s ability to monitor all the processes on an infected smartphone and detect when a legitimate banking app is launched, which prompts it to overlay a fake banking interface which harvests user’s details.
The feature, dubbed GPService2, also works to hinder mobile anti-virus apps and services, which it does by detecting when such an app is launched which it then checks against an list of anti-virus apps, then if the app is on the list the malware forces the user to return to the home screen to prevent the app or service from being fired up.
GPService2 also acts as the protocol to communicate with the command server being used by a hacker or cyber criminal to pre-load the trojan malware with malicious code payloads, and feedback the stolen data to the command and control server.
The second feature is the FDService, which runs in the background and targets apps contained on a list coded into the trojan, meaning the malware can be tailored to target specific apps once it infects a phone.
Forninet’s IPS Analyst Kai Lu said the trojan the security company discovered had an empty list but speculated it could be tailored by a hacker to target specific apps.
“The author probably intends to add new targeted apps in the future. We speculate that it may also include some popular social media apps. It then prompts the user with a fake google play card screen overlay that resembles the legitimate app when that app is launched,” Lu explained.
Fortinet also discovered a list with 15 German banking apps on it, and noted that future versions of the trojan could be used to target other banks.
The third key feature is the AdminRightsService, which as the name suggests, tricks Android smartphone users to give the trojan a variety of administrative permissions.
Trojans that are targets at banks in specific countries appear to be on the rise, with the Zeus malware aimed at Russian banks and used to target financial transactions in Brazil amidst the Rio 2016 Olympic Games earlier this year.
Comments