BankBot, a very simple and spiteful Trojan, has been targeting Android devices since 2016. Now it’s back, and it’s stronger than ever. This particular Trojan is well-known thanks to its interesting set of malicious tools, such as the ability to send and read SMS, remove incoming SMS, and muffle sound and vibration. Even more worrisome is its ability to inject fraudulent web content that overlaps trusted banking applications and silently steal users’ private information. And the bad news doesn’t end there: it’s also compatible with Android versions up to 6.0 Marshmallow.
Even though this thread is far from new (its source code was leaked in December 2016), it’s making headlines recently as a result of a massive malware campaign that was detected in an application available for direct download from the official Android store, Google Play. This newly detected attack unveiled more than 420 banks worldwide that had been affected by BankBot's malicious web injections.
The malicious Android Package Kit (APK) was named "Funny Videos 2017", promising users hilarious content after its installation. However, its nefarious nature sprang to life when users granted it admin permissions in their devices. No one was laughing then. Although it’s no longer available in Google Play, there are two important facts to learn from this threat: the first is the massive strength that an attack gains after its source code has been shared, and the second is the risk to which people who use unofficial Android Stores are exposed.
Let’s break this down further …
The power of open source
Like most things, when it comes to software development, two heads are better than one. It’s well-known that malware families such as Zeus got more attention after their source codes were leaked and new and more sophisticated versions arrived on the scene. This democratization of malware has been explained by our team in a previous blog and, as the mobile Trojan BankBot shows, this particular trend continues to be one of the best strategies to improve a Trojan.
In the case of BankBot, the code was leaked in 2016, and it proved to be a very simple but efficient one. It didn't have any obfuscation; it only created a bot after compiling (there was no injection inside any other APK). What’s more, its author “thoughtfully” outlined all the steps necessary to create the attack, making it very easy for almost anyone to understand what it does and how it does it.
One notable aspect of this code was that the targeted entities were hardcoded inside the Android application itself, making it difficult for fraudsters to upgrade the attack without creating and launching a new application.
Ever resourceful, this particular problem has already been addressed by the malware community. The latest samples regarding this attack show how cybercriminals managed to automate the list of targeted entities, allowing fraudsters to release the attack and update the list of targeted companies just by changing a list in the C2 server.
What’s more, the fraudsters made it more difficult to reverse engineer these malicious samples by adding a layer of obfuscation. They have even managed to insert this malicious payload inside a different application and upload it to Google Play, reducing the detection rates by antivirus vendors and increasing the confidence of users who may be thinking about installing this malicious creation.
All these actions create a completely new bot that clearly shows how community efforts transform a simple and very "educational" piece of code into a real danger for almost anyone with an Android phone.
Non-official Android Stores
The risk is not over. Right now, in several unofficial app stores, you can download the APK, meaning any naive user can fall for this scam.
If you Google “How to root your Android”, you will find approximately 17 million results. This is a big number, and we can assure you that countless people have their devices rooted and download APKs apps from unofficial stores every day. What does this mean for you? It simply means that by venturing out of Google Play, end-users put themselves at risk.
So, what are our recommendations?
- Monitor all app stores—official and unofficial. As we’ve seen, rogue apps can hide behind brand associations even in legitimate stores.
- Determine whether the devices that have your app installed are at-risk and take steps to ensure that your app is run only in a safe environment.
- Implement multi-factor authentication as part of your mobile app. Our mobile authentication SDKs directly integrate into your app and create a hardware-based fingerprint of end users’ mobile devices. Each login request is analyzed to confirm a customer’s identity.
- Deploy multi-layered protection against electronic fraud. Consider a solution such as our Mobile Application Fraud Protection Suite that will bolster your app with self-protection, authentication and rogue app takedown, along with insight into the risks affecting your customers’ mobile devices and detailed security reports.