Clever and Persistent Android Banking Trojan Discovered

A new Android banking trojan that specializes in stealing information by intercepting specific SMS messages has been discovered in the wild. Although still without an official name, the malware is being circulated under the name 888.apk. Below is our rundown of the threat as well several conclusions from our research team.

What exactly is 888.apk?

888.apk is an mRAT (Mobile Remote Access Trojan) which primarily steals banking details, but also performs several secondary forms of malicious activity:

  • The mRAT uses keyword filters to specifically extract banking details. For example, while going over all of the victim’s messages, it searches for key words like “Pay,” ”Check,” ”Bank,” ”Balance,” and “Validation.”
  • Preliminary research shows the mRAT can also extract the device’s contacts and its SMS data, then relay these to a remote Command and Control (C&C) server. SMS messages are sent to the number +15996581524.
  • The malware can not only send SMS messages, it can also receive commands from the C&C server via SMS. The attacker is able to send a message with “intercept#” to start data collection and send another message, “interceptstop#” to stop it.

888.apk is targeting Android users in China at the moment. That being said, banking establishments in many different countries use authentication systems that would be vulnerable to this type of attack. mTAN (Mobile Two Factor Authentication) collectors that specifically aim to collect data that will enable attackers to bypass the two-factor authentication used in many countries are undoubtedly a threat to be reckoned with.

From a CISO’s perspective, what happens if a device becomes infected?

888.apk is definitely not the easiest threat to deal with:

  • The malware hides the fact that it’s even running, and uses APK Protect, a service that prevents reverse engineering of apps, as a form of obfuscation.
  • The malware is signed with a debug certificate, which will hinder its identification with most security solutions.
  • 888.apk also dynamically requests administrator access to the device. This makes the threat both harder to remove and much more complicated to detect by anti-virus solutions that rely on static analysis.

Are Lacoon customers protected?

Yes. If this mRAT attempts to infect a device protected by Lacoon Mobile Security, Lacoon will be able to identify its activity and alert the victim and the organization.