The Android Trojan: A Threat to Mobile Banking Security

The Android Trojan: A Threat to Mobile Banking Security

Mobile banking has become an increasingly popular way for users to complete transactions on-the-go. According to KPMG, the number of mobile banking users is expected to grow to 180 million in 2019. However, with the growing amount of money involved in mobile banking, attackers are finding creative ways to steal money. Recently, the Association of Banks in Singapore (ABS) announced that the number of mobile banking malware infections on Android devices has increased substantially.

A Deep Dive into the Android Trojan

We conducted an in-depth study of this emerging threat and discovered a goal of mobile banking app malware on Android devices. Our analysis revealed that the malware is disguised as a standalone app or downloaded from a malicious website when users log in. We found that the malware is attributed to fake Adobe Flash Player, which is not surprising given the numerous vulnerabilities discovered in the software this year.

Malware Installation and Permissions

The malware requires higher permissions than ordinary applications, including the ability to activate the facility manager, which is the highest authority on Android devices. This makes it easily manipulated by the malware. A device administrator gives the malicious software the ability to prevent users from stopping and uninstalling the app, making it difficult to remove.

Malicious Code and Configuration Data

The malware retrieves and decodes its configuration file, which is Base64 encoded and uses the “!” symbol to parse. The configuration data includes the C & C server, application target, bank list, and C & C command. The malware requires specific data, which can be retrieved as hard-coded integer values ​​from the array.

Banking and Payment Services Targeted

Our sample of the malware targets mobile banking and payment services, including DBS, OCBC, UOB, and others. The malware creates a fake bank window to steal users’ login credentials, including credit card numbers, billing addresses, and PINs.

Fishing Tactics

The malware uses fishing tactics to steal users’ login credentials. When the victim opens a legitimate bank or pay phone app, the malware opens a forged bank window, which is superimposed on the original window. The fake window does not respond to user interactions, making it difficult to discover.

Intercepting One-Time Password (OTP)

Banks often send text messages as a one-time password (OTP) to users as an additional login credential. The malware intercepts this OTP by registering as an SMS broadcast receiver on the Android device. The malware can easily hijack all received SMS and send the content to the attacker’s C & C server.

Persistence Mechanism

We also analyzed the persistence mechanism used by the malware. The malware uses the android.intent.action.BOOT_COMPLETED and android.intent.action.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE persistence mechanism. The decompiled source code analysis revealed that the malware looks to avoid Russian users, indicating that the malicious code may be from Russia.

Removing the Malware

To remove the malware, users should put their phone or tablet into safe mode, open the Settings menu, and remove the malware app Adobe Flash Player as a device administrator. Users should also restart their phone in normal mode and uninstall the malware app.

Indicators of Malware

Users can use file management or the Android SDK tools adb to browse for additional storage of information, such as the SD card, and view hidden files. Users can also check for unknown applications from the device administrator or the list not seen.

Protecting Your Privacy and Money

To protect your privacy and money, users should check for updates periodically, timely system updates, and do not use root privileges or locked root privileges. Users should also install security software to help protect users more information on online transactions and personal data devices.

Related MD5 Hash

The related MD5 hash is:

• 76745ce873b151cfd7260e182cbfd404
• 702770d70c7aab793ffd6a107fd08dad
• eeab2f9137c59efdfae5db2b2b93f178
• d08b2f4d851b2505f4aed31ecfa53c2e
• a7e28a9efc8a6acb02d65829a6d773c2

C & C Server List

The C & C server list is:

• http://37.235.48.177:34580
• http://46.108.39.12:34580
• http://5.196.243.6:34580
• http://31.148.219.192:34580

Conclusion

The Android Trojan is a threat to mobile banking security, and users should be vigilant when downloading and updating applications. Users should install security software to help protect users more information on online transactions and personal data devices.