In February, we looked at the first part of the fake Korean bank application analysis along with Android:Tramp (TRAck My Phone malicious Android application), which uses it. In this blogpost, we will look at another two Android malware families which supposedly utilize the same bunch of fake Korean bank applications. At the end of this article, we will discuss the origin of malware creators.
Analysis of Android:AgentSpy
It is interesting to search for references of bank applications package names – KR_HNBank, KR_KBBank, KR_NHBank, KR_SHBank, KR_WRBank. One reference goes to a malicious application called Android:AgentSpy. The infection vector of this application was described by Symantec, contagio mobile and Alyac. We will not delve into details, we will just mention that the malicious application is pushed to a connected mobile phone via ADB.EXE (Android Debug Bridge). The uploaded malicious file is called AV_cdk.apk.
Android:AgentSpy contains activity MainActivity and several receivers and service CoreService.
Monitors android.intent.action.BOOT_COMPLETED and android.intent.action.USER_PRESENT and if received, starts CoreService. It also monitors attempts to add or remove packages – android.intent.action.PACKAGE_ADDED and android.intent.action.PACKAGE_REMOVED.
1) Calls regularly home and reports available connection types (wifi, net, wap), IMSI, installed bank apps
2) Regularly polls C&C and responds to the following commands
sendsms – sends SMS to a given mobile number
issms – whether to steal received SMS or not
iscall – whether to block outgoing call
contact – steals contact information and upload them to C&C
apps – list of installed bank apps
changeapp – replaces original bank applications with fake bank applications
move – changes C&C server
Moniors new outgoing calls. If android.intent.action.NEW_OUTGOING_CALL is received, information about the outgoing call is sent to C&C.
Contains C&C URL, name of bank packages (String array bank), name of fake bank packages (String array apkNames). It also contains reference to conf.ini configuration file.
Analysis of Android:Telman
One more Android malware family, which uses fake bank applications is called Android:Telman. Similarly to Android:Tramp and Android:AgentSpy, it checks for installed packages of the above mentioned banks. Read more…
About a year ago, we published this analysis about a pharming attack against Korean bank customers. The banks targeted by cybercriminals included NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank, and Woori Bank. With the rise of Android-powered devices, these attacks now occur not only on the Windows platform, but also on the Android platform. In this blogpost we will look at a fake bank application and analyze several malware families which supposedly utilize them.
Original bank application
We will show just one bank application for brevity. For other banks the scenario is similar. The real Hana Bank application can be downloaded from Google Play. It has the following layout and background.