Mobile

11/27/2017
07:45 PM
50%
50%

New BankBot Version Avoids Detection in Google Play -- Again

Mobile banking Trojan BankBot uses a unique payload downloading technique to skip past Google Play Protect.

BankBot's newest version ducked detection in Google Play by downloading its payload from an external source, according to a report by researchers at Avast, SfyLabs, and ESET, which made the discovery.

Once installed, BankBot will wait for a user to launch a legitimate banking app on his or her device and then overlay a copycat version of the app. It will not only steal users' bank credentials as they log in to the fake app, but it will also intercept victim's text messages, including mobile transaction authentication numbers (TANs), says Lukas Stefanko, a malware researcher at ESET.

"It will allow them to carry out bank transfers on a user's behalf," warns Stefanko. Banks will often rely on text messages as a form of two-factor authentication.

Attack Path
The authors of the latest BankBot version managed to get past Google Play's security vetting process by submitting a bogus app without the actual payload packed within the app, Stefanko explains.

The victim downloads a Trojanized flashlight app, which even has flashlight functionality, and then the malicious payload is dropped from a nefarious link in the background.

The malicious payload waits two hours after it's dropped before requesting the victim install it, says Stefanko, giving the cybercriminal administrator rights to the app.

After the user executes one of the targeted financial apps, such as Wells Fargo, Chase, or any of the other institutions on BankBot's hit list, a fake overlay that mimics the original screen is placed on top of the legitimate app, says Nikolaos Chrysaidos, head of mobile threat intelligence and security at Avast. He adds that more advanced users may be able to detect the bogus overlay, given they are not identical to the original banking app interface, but other users may not notice the difference.

BankBot's flexibility in the payload it delivers makes it unique, the security researchers say.

"Using the same payload delivery mechanism, the actors could drop whatever malware, spyware, banker [Trojans] they want into the device," Chrysaidos warns. "CISOs should at least be proactive and use an AV solution on the Android devices of their company devices."

The security researchers suspect BankBot's authors are based in Ukraine, Belarus, and Russia, because its activities in those regions are absent. As a result, they believe the actors are keeping a low profile with the local law authorities, the report states.

Google was notified of the latest BankBot version on Nov. 17, and the Internet giant removed it from Google Play on the same day, Chrysaidos says. To date, all of the reported BankBot variants have been removed from Google Play, but the actors still appear active, so it is likely that another run will be made in the future to upload newer versions of BankBot, the researchers note.

Old vs. New
BankBot, which ESET initially discovered at the start of this year, had another version emerge in September, Stefanko says.

The droppers in the September version were considered far more sophisticated than this newest version, the report states. The malicious payloads could use Google's Accessibility Service to enable the installation of apps from unknown sources. But in the fall, Google halted use of this Accessibility Service feature for everyone except those who are blind.

"Bad actors removing this functionality could make their malware a bit more stealthy from discovery, as something that uses the Accessibility Service could be very quickly detected as suspicious," Chrysaidos says. "On the other hand, it makes the malware less powerful."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Cyberspace is much less secure than my old lamp.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14363
PUBLISHED: 2018-07-17
An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does not properly restrict '/' characters that may have unsafe interaction with cache pathnames.
CVE-2018-14349
PUBLISHED: 2018-07-17
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a NO response without a message.
CVE-2018-14350
PUBLISHED: 2018-07-17
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long INTERNALDATE field.
CVE-2018-14351
PUBLISHED: 2018-07-17
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a long IMAP status mailbox literal count size.
CVE-2018-14352
PUBLISHED: 2018-07-17
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c does not leave room for quote characters, leading to a stack-based buffer overflow.