Active users of mobile banking apps should be aware of a new Android banking trojan campaign targeting customers of large banks in Australia, New Zealand and Turkey. The banking malware, detected by ESET security products as Android/Spy.Agent.SI, can steal login credentials from 20 mobile banking apps.The list of target banks includes the largest banks in each of the three target countries (A full list can be found in the final section of this article ). Thanks to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication.

Analysis

The malware masquerades as Flash Player, with a legitimate-looking icon.

It was available on several servers. These servers were registered in late January and February 2016. Interestingly, the URL paths to the malicious APK files are regenerated each hour – maybe to avoid URL detection by antivirus software.

Figure 1

Figure 1

trojan

Malicious sites hosting Android/Spy.Agent.SI

After downloading and installing the app, the user is requested to grant the application device administrator rights. This self-defense mechanism prevents the malware from being uninstalled from the device. The Flash Player icon is then hidden from the user’s view, but the malware remains active in the background.

After that, the malware communicates with a remote server. Communication between the client and the server is encoded by base64. First, the malware sends device information such as model type, IMEI number, language, SDK version and information about whether the device administrator is activated. This information is sent to the server every 25 seconds. The malware then gathers the package names of installed applications (including mobile banking apps) and sends them to the remote server. If any of the installed apps are targets of the malware, the server sends a full list of 49 target apps, although not all of these are directly attacked.

The malware manifests itself as an overlay, appearing over the launched banking application: this phishing activity behaves like a lock screen, which can’t be terminated without the user entering their login credentials. The malware does not verify the credibility of the data entered, instead sending them to a remote server, at which point the malicious overlay closes. The malware does not focus only on mobile banking apps, but also tries to obtain Google account credentials as well.

The first versions were simple, with an easily identifiable malicious purpose. Later versions featured better obfuscation and encryption.

Process summary

If a target application is launched, the malware is triggered and a fake login screen overlays the original mobile banking one, with no option to close it.

trojan

Figure 2 - Communication with server

After the user fills in their personal data, the fake screen closes and the legitimate mobile banking is shown.

As mentioned earlier, all the information exchanged between the device and server is encoded, except for the stolen credentials, which are sent in plain text.

Figure 3 - Credentials sent in plain text

Figure 3 - Credentials sent in plain text

The malware can even bypass 2FA (two-factor authentication) by sending all received text messages to the server, if requested. This allows the attacker to intercept all SMS text messages from the bank and immediately remove them from the client device, so as not to attract any suspicion.

How to remove the malware

When the user tries to uninstall the malware, two different scenarios can occur. First, the user has to disable administrator rights and then uninstall the fake “Flash Player” from the device. Deactivating administrator privileges can have two possible outcomes. The simpler one is where the user first deactivates administrator rights in Settings -> Security -> Device administrators -> Flash Player -> Deactivate and then ignores the bogus alert and chooses OK.

 

trojan

Figure 4 - Deactivating administrator rights

The user is then able to uninstall the malware via Settings -> Apps/Application manager -> Flash Player -> Uninstall.

Removal can become more complicated if the device receives a command from the server to disable deactivation of device administrator rights. If this happens, when the user tries to deactivate it, the malware creates an overlay activity in the foreground which prevents the user from clicking on the confirmation button. Deactivating administrator rights will therefore fail.

Figure 5 - Overlay screen displayed by the malware

Figure 5 - Overlay screen displayed by the malware

Another method to safely deactivate administrator privileges is to enter Safe mode. When booting to Safe mode, third-party applications are not loaded or executed, and the user can safely deactivate administrator privileges, as in the first scenario, and thereby uninstall the application. ESET solutions detect this malware as Android/Spy.Agent.SI.

Fake login screens for various banking apps

trojan

Screen Shot 2016-03-04 at 15.27.42

Screen Shot 2016-03-04 at 15.27.54

Screen Shot 2016-03-04 at 15.28.05

Additional information

ESET detection name:

Android/Spy.Agent.SI

C&C servers:
http://94.198.97.202
http://46.105.95.130
http://181.174.164.138

Download servers:
http://flashplayeerupdate.com/download/
http://adobeflashplaayer.com/download/
http://adobeuploadplayer.com/download/
http://adobeplayerdownload.com/download/
http://adobeupdateplayer.com/download/
http://adobeupdateplayeer.com/download/
http://adobeupdateflash11.com/download/

Targeted banks:

Westpac, Bendigo Bank, Commonwealth Bank, St. George Bank, National Australia Bank, Bankwest, Me Bank, ANZ Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, Halkbank, Yapı Kredi Bank, VakıfBank, Garanti Bank, Akbank, Finansbank, Türkiye İş Bankası and Ziraat Bankası.

Targeted package names:
org.westpac.bank
com.westpac.cashtank
au.com.westpac.onlineinvesting
org.banking.westpac.payway
com.rev.mobilebanking.westpac
com.westpac.illuminate
com.bendigobank.mobile
com.commbank.netbank
org.stgeorge.bank
au.com.nab.mobile
au.com.bankwest.mobile
com.akbank.android.apps.akbank_direkt
com.finansbank.mobile.cepsube
finansbank.enpara
com.pozitron.iscep
com.wf.wellsfargomobile
com.wf.wellsfargomobile.tablet
com.wellsFargo.ceomobile
com.wellsfargo.mobile.merchant
com.tmobtech.halkbank
com.ziraat.ziraatmobil
au.com.mebank.banking
com.anz.android.gomoney
nz.co.anz.android.mobilebanking
nz.co.westpac
nz.co.asb.asbmobile
nz.co.bnz.droidbanking
nz.co.kiwibank.mobile
com.ykb.android
com.vakifbank.mobile
com.garanti.cepsubesi
biz.mobinex.android.apps.cep_sifrematik
com.paypal.android.p2pmobile
com.ebay.mobile
com.skype.raider
com.whatsapp
com.google.android.googlequicksearchbox
com.android.vending
com.google.android.music
com.google.android.apps.plus
com.android.chrome
com.google.android.apps.maps
com.google.android.youtube
com.google.android.apps.photos
com.google.android.apps.books
com.google.android.apps.docs
com.google.android.apps.docs.editors.docs
com.google.android.videos
com.google.android.gm

Hashes:
C31E5E31210B08BA07AC6570814473C963A2EF81
6CAD2250EDDF7EDDF0B4D4E7F0B5D24B647CB728
4A788D05DD8849CD60073F15255C166F06611475
EE88D05CF99D8C534FBA60D1DA9045FB7526343A
26A2B328F194B6B75B2CC72705DC928A4260B7E7
4AD1DBB43175A3294A85957E368C89A5E34F7B8C
DB228BB5760BD7054E5E0A408E0C957AAC72A89F
266B572B093DB550778BA7824E32D88639B78AFC
E4FA83A479642792BC89CA3C1553883066A19B6C
644644A30DE78DDCD50238B20BF8A70548FF574C
F1AAAE29071CBC23C33B4282F1C425124234481C
CAC078C80AD1FF909CC9970E3CA552A5865C7963
1C8D0E7BB733FBCEB05C40E0CE26288487655738
FE6AC1915F8C215ECEC227DA6FB341520D68A9C7
BD394E0E626CE74C938DDDF0005C074BC8C5249D
D7E0AFCE7D2C4DE8182C353C7CBA3FAC607EAFC9
A804E43C3AFF3BDAEE24F8ABF460BAA8442F5372
0EF56105CF4DBF1DAE1D91ECE62FC6C4FF8AD05F
9FD295721C1FF87BC862D19F6195FDDE090524D9
57D0870E68AC1B508BC83F24E8A0EBC624E9B104
521F9767104C6CBB5489544063FCE555B94025A6
E5F536408DBB66842D7BB6F0730144FDD877A560
3FA6010874D39B050CA6CA380DAD33CA49A8B821