One of the most dangerous threats targeting mobile users is the banking malware. These malicious pieces of code are designed to steal financial information and transfer funds to their own accounts. Over the years, perpetrators successfully managed to overcome all obstacles set before them, such as the 2-Factor-Authentication security mechanism and defenses set in different Android versions.
Surprisingly enough, mobile banking malware require relatively little technical knowledge to develop, and even less to operate. All the malware does is search for a banking app on the infected device and pop-up a fake overlay page once the user opens it. The user enters his credentials, which are sent directly to the attacker’s server. To operate a thriving banker campaign, a hacker needs nothing more than a couple of persuasive overlay pages, a server, and an infection method. For this reason, many mobile bankers, such as Marcher, are operated in a malware-as-a-service business model, or even, as we’ll discuss in this post, as open source projects.
In the past months, we witnessed three major developments in mobile banking malware, and decided to launch a joint research together with ElevenPaths, Telefónica Cyber Security Unit, and its Tacyt mobile cyber-intelligence tool. First, bankers managed to infiltrate Google Play, Google’s official app store, and use it to reach a wide spread. Second, many separate banker campaigns sprung after an open source malware was published in a malware developer forum, and third, we discovered new capabilities used by this line of malware and unraveled their operation.
Entering the big scene
In the past, banker malware spread mainly via third party app stores and phishing attempts. While it’s much easier for attackers to target users using these infection methods, the scope of such a campaign is limited, and usually relies on tricking users at some point of the process. Entering Google Play allows for a significant expansion of the attack, but requires bypassing Google’s defenses.
In what was once a highly unusual event, several banking malware broke through into Google Play by obfuscating the malicious parts of their code. The first one, reported by ESET, is a new version of Charger, a malware first discovered by Check Point researchers in January while operating as a ransomware. Using ElevenPaths’ Tacyt, we confirmed ESET’s suspicion that the two apps are related. Like the previous version, the hackers managed to upload highly malicious code into Google Play undetected. The new version of Charger pops-up fake screens mimicking banking apps after the user attempts to launch them. ESET also connected the new activity to a malware they found on Google Play in February, called ‘Good Weather’, which belongs to the BankBot family. Based on advanced code comparison, we believe the developers of Charger added the BankBot code into their existing malware to achieve better results.
Additional BankBot malware infiltrated Google Play, as reported by Securify. Like Charger, the app used heavy obfuscation to evade detection. The malware checks for a list of banks from Spain, UK, France, Italy, and more, and uses a downloaded HTML code to overlay the apps with fake screens after they’re launched. Thanks to ElevenPaths’ Tacyt, we correlated different samples of the malware and found certificates that can be traced to several people. These are not necessarily the developers, since a certificate can be stolen or misused. We believe that the names were taken from a directory of companies in the UK, which suggest the real developer resides there as well.
Figure 1: One of the certificates used by the malware.
Where is all this banking malware coming from?
Aside of the examples mentioned above, another Turkish banker infiltrated Google Play, and outside the official Play store more BankBot campaigns are raging. The root cause for the sudden rise of mobile bankers is the following post, published in a malware developer forum called exploit.in on 19/12/2016:
Figure 2: BankBot post by Maza-in in the malware developer forum.
In the post, a user named Maza-in, a known malware creator and exploiter, who has a thread on that forum, describing how to create and setup a banker malware. The thread also contains source code of Android applications and of the necessary backend (PHP and database). This enables inexperienced malware developers to create not only a Command & Control system for Android, but a fully operational banking Trojan. All they have left to do is create a fake overlay page of the targeted bank and establish a Command & Control server. As we’ve seen, many hackers launched their own BankBot campaigns, as described here. The more advanced developers went even further, by uploading the malicious code to Google Play using obfuscation.
Trying to discover more information about the banking wave, we followed Maza-in on malware-related forums. We traced a conversation which took place on a platform called ripper.cc, which allows users to report scams in underground internet markets. Maza-in published a scam report after a user called email@example.com was reselling the bot he had developed.
We found the following conversation on that webpage:
Figure 3: Maza-in conversation on ripper.cc
When requested to prove his capabilities, Maza-in refers to a link which reports about MazarBot, a popular Android bot from 2015 Check Point previously reported, and affiliated with the large GMbot malware family. Maza-in explains that the URL talks about his own “bot grabber”, suggesting he is also the creator of the MazarBot, which seems unlikely since he repeatedly asked for help with basic Android functions.
Figure 4: connections between mobile banker malware
Delving into BankBot’s inner workings
We delved even deeper into the BankBot (full technical analysis can be found here & here), and inspected several Command & Control servers operating this malware (a review of a number of additional C&Cs can be found here). The servers can be divided into three main categories:
- “Script kiddies”: attackers who simply copied the code without any modification. On the main page of the server they display a list of infected devices.
- Advanced hackers: attackers who added simple authorization to the server, but don’t perform session checking. The list of infected devices can be accessed by a direct path URL.
- Possible author of the malware. A server that uses authorization with session control, and doesn’t provide simple access to the list of infected devices.
Similar to our research on the Marcher banker, we were able to access several of the Command & Control servers and take a look on what’s going on inside. The specific servers we researched target 33 banking apps from France, Germany, Russia and Turkey. The victim list at the time of inspection reached over 600 infected users. While the server registers 83% of the devices as rooted, it only means the malware has admin permissions on the device, and not root access.
Bypassing all defenses
The malware attack all Android OS versions, circumventing past the protections introduced to counter banker malware in Marshmallow (6) and Nougat (7).
Figure 5: Victims by OS version
In addition, the malware’s server contains SMS messages received by infected devices. By intercepting these messages, the malware renders the 2-Factor-Authentication useless. Since many banks and credit card companies check the location in which a transaction occurred to verify its legitimacy, the hackers store the location of the infected devices, enabling them to fraud the banks later on. Both tactics are available only for a mobile malware and not for a PC malware, since they rely on data which exist only on the mobile device itself. This provides an explanation for the continuing thrive of mobile bankers, alongside the decline of their PC cousins. The protections developed to counter the original PC malware are useless against the mobile banker malware.
The newest innovation found in the malware’s server is Anti-Virus detection. The malware checks if an AV is installed by searching for specific package names of 13 different AVs. If one of the target packages is installed, the malware registers it on its server, allowing it to choose not to launch any activity to avoid detection. We discovered the malware was installed on devices supposedly protected by several of these AVs without being detected, raising questions about their effectiveness. The AVs which the malware managed to evade are some of the most popular free protections, including Kaspersky, CM security, Clean Master, Dr. Web, 360 Security, AVG, and Virus Cleaner by NQ Security Lab.
Mobile bankers are on the rise, managing to bypass the defenses created by the Android OS, banks, Google Play, and now even by common AVs. This is an interesting example of how malicious code is open sourced and reused by different malware developers. Malicious code is shared not only between illegal hackers, but often copied by state actors, as we’ve seen in the latest Vault 7 leak. The same is true in the opposite direction, as hackers copy advanced technologies introduced first by state actors.
To stay safe, users should implement advanced protections capable of dynamic analysis, which will detect and block the malicious action regardless how obfuscated the code is. These protections go even further and use the anti-AV activity itself to identify and blacklist malware.
Charger SHA1 hashes:
BankBot SHA1 hashes:
4527cef5b111332076d675ded08a9bcde58e883a ea99d5b4c238e9de6cb9de289b684c86b0e0a52a 7c3ecc9b188903e4dc222af743afac3e1c0ab8a0
Maza-in Jabber account
Maza-in membership in underground developer forums: https://hpc.name/member.php?u=247302
List of targeted banking apps:
List of AVs detected by the malware:
Spanish banks targeted by BankBot: