New variants of android banking malware target even more German banks, popular social media apps, and more
Summary
In my previous blog I provided a detailed analysis of a new android banking malware that spoofed the mobile applications of several large German banks to trick users into revealing their banking credentials. This week I found several new variants of this growing malware, and in this update I am sharing these new findings.
Install the malware
One of these variants masquerades as another German mobile banking app. Once installed, its icon appears in the launcher, with the malware app icon appearing fairly similar to the bank’s legitimate app icon.
As in the previously reported variants of this malware, once the user launches the malware app it requests the device administrator rights, as shown below.
Figure 1. Requesting device administrator rights
Collecting device info
Once the malware application is installed, device information is collected and sent to the attacker’s server. The following is a capture of the device traffic. We can see that the malware version becomes “061116xxxxx,” showing that it is masquerading as the targeted bank app in order to launch an attack.
Figure 2. Malware device traffic capture
Targeting Google Play to steal the credit card info
In addition to targeting banks, this new malware variant includes the following key code snippet that also adds Google Play as a targeted app.
Figure 3 Malware targeting Google Play
In the previous blog, we showed that the variable a.c was empty. We speculated that it would be used for future malware activity. This variant has added Google Play as a target. We believe that the attacker is likely to continue to additional new targets.
As in other versions of this malware, when the user launches Google Play app for the first time it creates a screen overlay on top of the Google Play app, as shown in Figure 4.
Figure 4. A screen overlay on Google Play
It lures the user to input their credit card information (card number, holder name, expiration data, and CCV), as shown in Figure 5.
Figure 5. Input the visa card info
Once the user submits their credit card info, the malware sends this info to its C2 server. The traffic is shown below.
Figure 6. Send the credit card info to C2 server
Figure 7. The screen overlay of “Verified by Visa”
The malware is then able to verify if the card number submitted by the user is valid. If yes, the malware pops up a fake “Verified by Visa” view. The view includes DOB, address, post code, billing phone number, and password, as shown in Figure 8.
Figure 8. Input info for “Verified by Visa”
Once the user inputs this information and submits it, this data is also sent to its C2 server. The traffic is shown below.
Figure 9. Send “Verified by Visa” info to C2 server
If the user submits MasterCard card info, a different display is shown, as seen in Figure 10.
Figure 10. Input the MasterCard card info
After submission, the malware pops up a fake “MasterCard SecureCode” view. As with the Visa spoof, this view also includes DOB, address, post code, billing phone number and password, as shown in Figure 11.
Figure 11. The screen overlay of “MasterCard SecureCode”
The behavior occurs when the user submits American Express credit card info, as shown below in Figure 12.
Figure 12. Input American Express credit card info
After submission, the malware again pops up a fake “American Express SafeKey” view. The view also includes DOB, address, post code, billing phone number, and password, as shown in Figure 13, below.
These tricks are designed to capture the victim’s full credit card information, and uses “Verified by Visa,” “MasterCard SecureCode,” or “American Express SafeKey” displays to assure the victim that everything is normal.
Targeted bank list
This variant has also added some new banks as targets, including five banks in Austria. Base on this behavior, we expect this malware to continue to spread across the region.
New C2 Servers
The variant also uses six new C2 servers as follows.
hxxps://loupeahak[.]com/flexdeonblake/
hxxps://chudresex[.]cc/flexdeonblake/
hxxps://chudresex[.]at/flexdeonblake/
hxxps://memosigla[.]su/flexdeonblake/
hxxps://sarahtame[.]at/flexdeonblake/
hxxps://loupeacara[.]net/flexdeonblake/
Targeting popular social media apps
Two other variants of this malware family that we have discovered masquerade as flash player apps. Their version is “081116,” and their creation date should be Nov 8, 2016. They add some popular social media apps as targets. The following is a list of these spoofed apps.
com.instagram.android
com.facebook.katana
com.android.vending
com.skype.raider
com.viber.voip
com.whatsapp
We will use the spoofed Skype application to examine the behavior of this malware.
When the user launches the Skype app, the malware displays a screen overlay on top of the legitimate app, as shown in Figure 14.
Figure 14. A screen overlay for Skype
It shows the message “Your account has been frozen because we are unable to validate your information. Please validate your account HERE to avoid suspension.” It’s a classic phishing screen.
Next, it lures the user to input their credit card info.
Figure 15. Input the credit card info for Skype
Figure 16. Input billing info for Skype
Figure 17. Input info for “Verified by Visa”
From above figures, we can see that the malware is designed to steal the victim’s full credit card information. It also uses the “Verified by Visa,” “MasterCard SecureCode,” or “American Express SafeKey” screens to trick the user into thinking that their transaction was legitimate. The traffic is shown below.
Figure 18. Sending the full details of credit card to C2 server
The phishing screen overlay strategy targeting other social media apps is similar to the one shown for Skype app.
Solution
These malware samples are detected by Fortinet Antivirus signatures Android/Banker.GT!tr.spy and Android/Marcher.GT!tr. The traffic submitting the stolen info to the C&C server can be detected by Fortinet IPS signature Android.Banker.German.Malware.C2.
Conclusion
Based on our analysis, this malware family has good extensibility. The attacker can add new app lists easily in the code. These new variants have added the Google Play app and some other popular social media apps as targets in order to steal credit card information. And the “Verified by Visa,” “MasterCard SecureCode,” and “American Express SafeKey” screens are used convince victims that their transactions were legitimate. It also adds some new banks in Austria as targets. We predict that that list of targeted banks will continue to spread all over the world.
We will continue to monitor future activities from this malware family and ensure that an adequate security solution is developed in our products.
Appendix
SHA256 Hash
5366f4006c939cd06af8545bb6d19667cf475ac3b7110305bb11feb6ea28e5c8
ae269a51b3acdf4507b00dd220a67ee5b41b7a6fab8924c63eb51aeab4e45fab
b2daba5ac747439abd70522bde0e49c867e88cf2c9a7443177d944357d7a2576
C&C Server
loupeahak[.]com
chudresex[.]cc
chudresex[.]at
memosigla[.]su
sarahtame[.]at
loupeacara[.]net
polo777555lolo[.]at
polo569noso[.]at
wahamer8lol77j[.]at