Posing as a currency converter app, it targets users in Spain and was downloaded more than 10,000 times
In the last few days, our Mobile Threat Labs team at Avast discovered a Cerberus banking Trojan on Google Play that was targeting Android users in Spain. As is common with banking malware, Cerberus, disguised itself as a genuine app in order to access the banking details of unsuspecting users. What’s not so common is that a banking Trojan managed to sneak onto the Google Play Store. The ‘genuine’ app in this case, posed as a Spanish currency converter called “Calculadora de Moneda”. According to our research, hid its malicious intentions for the first few weeks while being available on the store. This was possibly to stealthily acquire users before starting any malicious activities, which could have grabbed the attention of malware researchers or Google’s Play Protect team. As a result, the app has been downloaded more than 10,000 times so far. We reported it to Google, so they can quickly remove it.
Banking Trojan apps operate in a stealth manner in order to gain the trust of users and steal their banking data. There are a number of stages to this process. The first stage involves delivering an app, which usually appears to act normally and perhaps even offers some degree of useful functionality to users who have downloaded it. This is to gain their trust and to ensure they are comfortable keeping the app on their phones. At this point, the 'Calculadora de Moneda' app did not steal any data or cause any harm. From the research that Threat Labs has carried out, this is exactly what happened when users first began to download the currency converter app in March of this year.
In this instance, this benign app became what’s known as a ‘dropper’ at a later stage. Droppers are malicious apps that silently download another app onto a device without the user’s knowledge. Later versions of the currency converter included a ‘dropper code’ but it still wasn’t activated initially, i.e. the command and control server (C&C) instructing the app wasn’t issuing any commands and so users wouldn’t see and download the malware. However in the last couple of days, Threat Labs noticed that a ‘command and control server’ issued a new command to download the additional malicious Android Application Package (APK) - the banker.
In this final stage, the banker app can sit over an existing banking app and wait for the user to log into their bank account. At which point the malicious Trojan activates, creating a layover over your login screen, and steals all your access data. The banker also has the potential to read your text messages and two factor authentication details, meaning it is able to bypass all security measures.
The C&C server in question and its malware payload was only active for most of yesterday, during which time, users of the currency converter app were downloading the banking Trojan malware. However, as of yesterday evening, the command and control server had disappeared and the currency converter app on Google Play no longer contained the Trojan malware. Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered.
Different versions of the Currency Converter app present in our Threat Intelligence platform, apklab.io.
All of our findings have been reported to Google.
We recommend users take the following steps to protect themselves from mobile banking Trojans:
List of IoCs:
Avast Threat Intelligence has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.