New banking malware has been identified which is camouflaged as a weather forecast app on Google Play.
Malicious Weather App has been discovered by ESET Malware Research Team in google play store which can spy your Android phone and easily lock / unlock your Phone by break the existing pattern/Password.
This application was primarily detected by ESET as Trojan.Android/Spy.Banker.HU. The malware was a trojanized version of the otherwise benign weather forecast application Good Weather.
The malicious app managed to get around Google’s security mechanisms and was published in the store on February 4th 2017.
The trojan has been targeting 22 Turkish banking apps and has so far been downloaded by about 5,000 victims, whose credentials were harvested using vulnerable login forms.
Once downloaded the malware app besides weather forecast functionalities, has the ability to lock, unlock and intercept texts from the device. The malware not only accesses the victim’s banking credentials with its command-and-control server but is also able to avoid the bank’s two-factor authentication system because of its controls over all text functionality.
 |
| Figure 1: Malicious Good Weather app on Google Play |
 |
| Figure 2: Malicious app description as found on Google Play |
How does this app operate?
After the app is installed by an unsuspecting user, its weather-themed icon disappears. The infected device then displays a fake system screen requesting device administrator rights on behalf of fictitious “System update”. By enabling these rights, the victim allows the malware to Change the screen-unlock password and Lock the screen.
 |
| Figure 3: Green – legitimate Good Weather icon, Red – malicious version |
 |
| Figure 4: Fake “System update” demanding device administrator rights |
Together with the permission to intercept text messages obtained during the installation, the trojan is now all set to start its malicious activity. Users who are not alarmed at this point might be pleased with the new weather widget they can add to their home screens. However, in the background, the malware is getting to work sharing device information with its C&C server.
ESET Researcher’s said, "The trojan displays a fake login screen once the user runs one of the targeted banking apps and sends entered data to the attacker. Thanks to the permission to intercept the victims’ text messages, the malware is also able to bypass SMS-based two-factor authentication.
As for the device locking, we suspect this function enters the picture when cashing out the compromised bank account, to keep the fraudulent activity hidden from the user. Once locked out, all victims can do is wait until the malware receives a command to unlock the device."
Targeted Applications discovered by ESET
com.garanti.cepsubesi
com.garanti.cepbank
com.pozitron.iscep
com.softtech.isbankasi
com.teb
com.akbank.android.apps.akbank_direkt
com.akbank.softotp
com.akbank.android.apps.akbank_direkt_tablet
com.ykb.androidtablet
com.ykb.android.mobilonay
com.finansbank.mobile.cepsube
finansbank.enpara
com.tmobtech.halkbank
biz.mobinex.android.apps.cep_sifrematik
com.vakifbank.mobile
com.ingbanktr.ingmobil
com.tmob.denizbank
tr.com.sekerbilisim.mbank
com.ziraat.ziraatmobil
com.intertech.mobilemoneytransfer.activity
com.kuveytturk.mobil
com.magiclick.odeabank
No comments:
Post a Comment