On December 1, 2015, the Association of Banks in Singapore (ABS) announced information about a Trojan designed to steal financial information from mobile device users. Check Point researchers retrieved samples of this malware and conducted an in depth analysis.
This banking malware is actually a tweaked version of an existing financial infostealer called “GMBot” (SHA256: 9776d10a6aa8155d90eeef81c42e8459f53a39fb7497dd2d7fd4b6fe1a563a1b) and has already infected at least 50 mobile devices in Singapore. The malware is downloaded onto devices by tricking users with fake URLs disguised inside a popup urging them to install a required Android system update. Once installed, it requests permission to bind with the device administration service to avoid being removed, and then hides itself from the user and waits for commands in the form of SMS messages from a C&C server.
The malware uses popup windows masquerading as login windows for financial apps like the Singaporean bank POSB, or other apps like Whatsapp, and tries tricking the victims into providing sensitive data like phone numbers, mobile banking user IDs, PINs, and credit card information. Data the malicious app collects is sent to servers in Poland and Romania, but interestingly before starting its malicious acts the app verifies that the device locale is not .RU.
The main difference between the new malware and the original GMBot is a function triggered by an SMS command that starts info-stealing activities against the following targets:
- AU_Commbank
- AU_NAB
- AU_Westpac
- AU_Stgeorge
- NZ_Westpac
- NZ_BNZ
- NZ_ANZ
- AU_Gomoney
- Paypal
- CreditDetails
- AT_DK
- AT_DKB
- ATRGB
- AT_BankAustria
- SG_DBS
- SG_POSB
- SG_OCBC
Check Point Mobile Threat Prevention customers are fully protected against this new infostealer as well as similar financial malware attacks in the wild. Check Point recommends users only download and install applications on devices from official sources like the Apple App Store or Google Play. Users should also scrutinize and avoid or close unexpected popup messages from browsed URLs that ask for sensitive personal or financial information.
Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.