Just as security experts have predicted, the source code of a potent Android banking trojan that was leaked online in mid-December 2016, is now being seen in live attacks on a regular basis.
At the time of writing, security researchers have observed three different campaigns that involved this trojan, which an unhappy customer leaked online on a Russian-speaking underground hacking forum on December 19, last year.
With the source code available to anyone, it took crooks around a month to craft their own version of this Android banking trojan and start distributing it online via malicious applications hosted on third-party app stores.
Three campaigns already detected
Dr.Web security researchers spotted this first campaign around mid-January 2016, and they say crooks only targeted the customers of several Russian banks.
A second and third campaign came to light over the past two weeks, after ESET researchers came across two separate apps on the official Google Play Store.
Both the second and third campaigns shared the same modus operandi, leading ESET researchers to believe they might be the work of the same group.
Crooks sneaked two infected apps inside Google's Play Store
For each of these latter campaigns, crooks took a legitimate Android weather app, embedded the banking trojan in its source code, repackaged the app, and successfully uploaded the app in the Play Store, passing Google's Bouncer security scanner.
According to ESET researchers, who discovered and reported the apps to Google's reviewers, the name of these two applications were Good Weather (cloned after the eponymous app) and Weather (cloned after the World Weather app).
For the second campaign, distributing the Good Weather malicious clone, attackers configured the banking trojan to show fake login pages for the apps of 22 Turkish banks.
Third campaign was the most sophisticated
The third campaign was a little bit more sophisticated and broad-reaching, as it was configured to targeted the mobile apps of 69 banks from the UK, Austria, Germany, and Turkey.
Furthermore, for the third campaign, the banking trojan was also configured to show unsolicited notifications that lured users into accessing their mobile apps but showed the fake login screen instead.
Detected by Dr.Web as Android.BankBot and by ESET as Trojan.Android/Spy.Banker, this Android banking trojan is a very advanced threat.
The malware includes more than just the ability to overlay fake logins on top of legitimate apps, as it can also lock the user's device via a ransomware-like behavior, and intercept SMS messages for the ability to bypass two-step verification operations.
C&C control panel source code leaked as well
Additionally, the banking trojan's leaked source code also included the C&C server's control panel, which any crook must have in order to control his malware after infecting victims.
According to ESET researcher Lukas Stefanko, the malware's backend featured a different version number for each of the first three campaigns, starting with version 1.0, and going through 1.1 and 1.2.
It is unknown if the same group is behind all three BankBot campaigns, but it's generally a sign of more trouble to come when crooks find a way to bypass Google's security scans and sneak malware in the Play Store.
The good news is that ESET intervened in time during the last two bankBot campaigns, shut down the crooks' C&C server, and had Google take down the apps, which weren't installed on more than 5,000 devices per app.
As we've seen in the past years, whenever crooks leak or intentionally open-source a malware family's source code, other crooks quickly jump on the opportunity to create their own brand of malware on someone else's work.
This has happened with the Zeus banking trojan, the GM Bot Android banking trojan, the EDA2 and Hidden Tear ransomware building kits, and is now happening with BankBot.
No comments:
Post a Comment