Co-authored with Niels Croese (SfyLabs) and Lukas Stefanko (ESET)
Recently, the mobile threat intelligence team at Avast collaborated with researchers at ESET and SfyLabs to examine a new version of BankBot, a piece of mobile banking malware that has snuck into Google Play on numerous occasions this year, targeting apps of large banks including WellsFargo, Chase, DiBa and Citibank and their users in the U.S., Australia, Germany, Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, Dominican Republic, Singapore and Philippines.
The new version of BankBot has been hiding in apps that pose as supposedly trustworthy flashlight apps, tricking users into downloading them, in a first campaign. In a second campaign, the solitaire games and a cleaner app have been dropping additional kinds of malware besides BankBot, called Mazar and Red Alert (Mazar was recently described by ESET and we won’t dive into the details here). However, instead of bringing light, joy and convenience into their users’ lives, the dark intention of these apps has been to spy on users, collect their bank login details and steal their money.
Google previously removed older versions of BankBot-carrying apps from the Play Store within days. However, several versions remained active until November 17th. This was long enough for the apps to infect thousands of users.
Google has scanning and vetting measures in place for all apps submitted to the Play Store to ensure no malicious programs enter. But in their latest campaigns, authors of mobile banking trojans have started to use special techniques to circumvent Google’s automated detections, commencing malicious activities two hours after the user gave device administrator rights to the app. Also, they published the apps under different developer names which is a common technique used to circumvent Google’s checks.
The malicious activities include the installation of a fake user interface that’s laid over the clean banking app when it’s opened by the user. As soon as the user’s bank details are entered they are collected by the criminal. In some countries, banks use transaction authentication numbers (TANs), a form of two-factor authentication required to conduct online transfers often used by European banks. The authors of BankBot intercept their victims’ text message that includes the mobile TAN, allowing them to carry out bank transfers on the user's behalf.
This malware shows similarities with the kind Trend Micro blogged about in September.
We spotted the first sample of the new BankBot malware version in Google Play on October 13, 2017. It was hidden in the “Tornado FlashLight” (com.andrtorn.app) and later appeared in the “Lamp For DarkNess” and “Sea FlashLight” apps.
The sample runs undetected without altering the performance or functionality of the flash lights.
The flashlight apps including the BankBot malware
really did have flashlight functionalities
In late October and November, a smartphone cleaning app and multiple Solitaire gaming apps appeared with the malware embedded, for the aforementioned second campaign.
Infected Solitaire gaming app from the second wave
As soon as these apps are downloaded, the malware activates. It checks what applications are installed on the infected device against a hard coded, pre-computed SHA1 list of 160 mobile apps. The package names are hashed, and therefore we’ve only been able to identify 132 of them. This list includes apps from Wells Fargo and Chase in the U.S., Credit Agricole in France, Santander in Spain, Commerzbank in Germany and many others from around the world. You can find a full list of targeted apps at the end of this post.
If the malware is able to identify one or more apps from the SHA1 list installed on the phone, it initiates a ‘service’ - an expression used for an Android application component that can perform long-running operations in the background. The service includes a dropper functionality that allows it to download another application from a webserver in order to install it on the device.
Comparison of the old and new BankBot version: The new variant first downloads/drops the payload from an external source
The malware communicates with its Command and Control (C&C) server through Google’s Firebase service in order to hide and use encrypted communication:
The malware also runs the same check when the device is booted. If it discovers one of the apps on the device, the service will launch.
Once launched, the service will try to trick the victim into giving the app admin rights by pretending to be a Play Store (or system) update using a similar icon and package name:
Dropped app imitating the Google design
Two hours after obtaining admin rights the malware will start downloading its payload, the BankBot APK (com.vdn.market.plugin.upd). We believe the cyber criminals use this two hour window to evade Google’s checks. This is the same for all dropper samples and each time the BankBot APK is downloaded from hxxp://220.127.116.11/kjsdf.tmp:
Once the payload is downloaded from the C&C server, the malware tries to install the APK using the standard Android installation mechanism for applications hosted outside the Google Play store. This requires the smartphone to be set up to accept installations from unknown sources. If this is not enabled, Android will display an error and the installation will terminate.
Otherwise, the user is asked to accept in order to continue the installation.
Unlike this newer version of BankBot, droppers from previous campaigns were far more sophisticated. They applied techniques such as performing clicks in the background via an Accessibility Service to enable the installation from unknown sources. Google blocked this service for all applications this fall, except those designed to provide services for the blind. Therefore, the new BankBot version cannot utilize this mechanism any more.
The name and icon of the package to install the malware tries to make the user think it is a Google Play update. Once the installation has finished, the new APK will also request device admin rights.
The dropped APK checks for different indicators on whether it's running inside an emulator or directly on the device. These anti-sandbox checks can help the malware bypass or delay detections from different antivirus engines:
When the user opens one of the aforementioned banking apps, the dropped app is activated and creates an overlay on top of the genuine banking app. The Avast Threat Labs tested this mechanism with the app of the local Czech Airbank. In the video below, you can see how an overlay is created within milliseconds. When the user enters their bank details, they are sent to the cyber criminal.
Many banks use two-factor-authentication methods to ensure a transaction is secure and initiated only by the bank’s customer. BankBot includes a functionality that allows it to steal text messages, so if the mobile transaction number (mTAN) is sent to the customer’s phone, the cyber criminals behind BankBot can access it and use it to transfer money to their own accounts.
The malware is not active in the Ukraine, Belarus and Russia. This is most likely to protect the cyber criminals from receiving unwanted attention from law enforcement authorities in these countries.
Interestingly enough, even though the dropper apps that appeared in early October have been removed from Google Play, they were not detected by Play Protect which allowed them to enter the Play store in the first place. The same applies for the malware that is dropped by the dropper.
Infected Solitaire gaming app from the second waveFrom the second wave
We recommend users take the following steps to protect themselves from mobile banking Trojans:
(click here for all IOC tables shown below)