Threat Research

New triple-threat mobile version of the malware WannaLocker targets banks in Brazil

Avast Security News Team, 1 July 2019

Avast threat researcher Nikolaos Chrysaidos tracks new version of malware that combines spyware, remote-access-Trojan malware, and banking Trojan malware

A new, three-pronged version of the ransomware known as the mobile WannaCry is targeting four major banks in Brazil, Avast threat researcher Nikolaos Chrysaidos has found. 

This is a new version of WannaLocker, the WannaCry copycat for mobile, which bundles spyware, remote-access-Trojan (RAT) malware, and banking Trojan malware in one nasty ransomware package, according to Chrysaidos’ findings. 

“We believe this is the first sighting of this new mobile version of WannaLocker” said Chrysaidos, a researcher who previously tracked banking Trojans on the Google Play store. “It harvests text information, call logs, phone number, and credit card information, and if it takes off it could be a very serious issue.”

WannaCry, a 2017 ransomware outbreak that swept the globe, was one of the decade’s worst cybersecurity threats.  

Chrysaidos (pictured) said researchers don’t know how this new version of WannaLocker initially gets into phones, but suspects it could be through malicious links or third-party stores.

DSC_0648-520x520

The banking Trojan works by showing users a fake interface and urging them to address an issue with their account by signing in. When they do, the malware collects a wide range of data, including the mobile manufacturer and other hardware information, call log, text messages, phone number, photos from front and back camera, contact list, GPS location, and microphone audio data. WannaLocker strains normally encrypt files on a mobile user’s external storage and demand a relatively small payment to release them. This version includes the design to do this and the message to show to the infected user, but appears to still be in development, Chrysaidos said.

Chrysaidos’ work and other related research can be found on apklab.io, a mobile threat intelligence platform (MTIP) designed to provide real-time intelligence for Android security researchers.

Apklab.io is the first platform of its kind to collect and make available intelligence from Avast’s global network of over 145 million mobile users to help researchers fight the growing threat of mobile malware.

How to guard against banking malware

  • Confirm that the banking app you’re using is the official, verified version. 
  • If anything looks awry or suddenly unfamiliar, check in with your bank’s customer service team.
  • Use two-factor authentication if it’s available.
  • Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.