Consumers beware: New malware Catelites Bot could be targeting your banking apps

Charlotte Empey 23 Dec 2017

Protect yourself with these five important tips.

There is a terrible new malware invading Android devices and using dirty tricks to steal users’ online banking info. Avast Threat Labs worked with SfyLabs to uncover and expose this malware, dubbed Catelites Bot. The malware is similar to a Russian outbreak earlier this year, where cybercriminals successfully stole over $900,000. (That malware was called “CronBot”—which shares similarities with the original Catelites Bot.)

How does it work?

Here’s what we know so far:  you can unsuspectingly install this malware on your device in a number of ways, including through phony apps from third-party app stores (usually not official shops like Google Play), malicious adware (malvertisements), or phishing sites. Once downloaded onto your Android device, the malicious program looks like the icon seen in this screenshot below, titled “System Application.”

catelites-1.png

When you click that “System App” icon, it asks you for admin rights. If you grant those permissions, the malware begins its work. The “System Application” icon disappears and three familiar-looking, trusted app icons appear on your homescreen: Gmail, Google Play, and Chrome.

catelites-3-app-icons.png

The 3 new icons appear on your home screen for Gmail, Google Play and Chrome.

It goes after your credit card info

Now the trap is set and it’s just waiting for its prey. If you try to open any of the three new icons, you will get a fake overlay asking you to enter sensitive information like your credit card. Cybercriminals are hoping you won’t think twice about falling into this trap, since you’re so used to providing these kinds of details to a trusted app like Google. Another technique they use here is keeping the overlay up on your screen so it seems you can’t get rid of it unless you enter your card details. Refuse to fall for it!

Catelites-bank-overlay-4.png

First you click “Google Play Store” notification; then it asks for your credit card number.

It tries to steal your banking details

This tricky piece of malware also goes after your bank account login details, as it can pose as over 2,200 banks and financial institutions. Once you open your own banking app, the malware activates and places a fake overlay on your actual banking app’s screen, tricking you into entering your bank login details and credit card info. Once you provide this, the hackers have access to your account and credit card.

 

 

 

Watch above video to see it in action

 

catelites-all-bank-apps-5.jpg

Above shows examples of the fake overlay screens that
pull in the logos of actual banks.

Follow these 5 tips to stay protected

If you have Avast Mobile Security for Android, then you’re already protected from this malware. But if you don’t, here are some tips to help you stay safe:


  1. To make sure there is no malware on your phone, boot it up in safe mode (instructions here) and carefully follow the directions. Remove any suspicious apps as directed.
  2. Avoid third-party app stores. Instead, get your apps only from the popular mainstream shops like Google Play.
  3. Do not grant admin rights to any app or program unless you feel absolutely secure about it. If a strange request pops up asking for permissions, and it seems unmotivated, something phishy may be afoot.
  4. When opening your bank app, watch it carefully and make sure it behaves normally. If anything seems amiss, close it immediately and reach out to your bank to check if the behavior was normal or manipulated.
  5. Install security software like Avast Mobile Security for Android on your device to protect against Catalites Bot and other malware threats.
--> -->