Tag: android

GMBot: new ways of phishing data from mobile web browsers

Date of publication: 16/05/2016, Malgorzata Debska

GMBot (also known as slempo) was described on our blog on October 2015. This malicious application for phishing login and password associated with a specific user of electronic banking uses known and common techniques of application overlay. It is nothing else but a normal phishing attack, very similar to the webinject-based malware known from Windows OS. As we expected earlier, using application overlay has become quite popular in android malicious applications. In the last six months, a few new versions of GMBot (and similar applications) were developed. In each case the overlay only involved the applications installed on the phone (banking applications, messaging, e-mail). Last week, our lab received a sample, which is also trying to overlay mobile web browser in order to steal the authentication credentials.

Read more

Malicious iBanking application with new uninstall countermeasures

Date of publication: 16/03/2016, Malgorzata Debska

Our CERT laboratory recently received a sample of iBanking malware (along with a malicious JavaScript code snippet associated with it), posing as the mobile Trusteer Rapport antimalware solution. The attack scenario isn’t new, it has been used many times in the past, but recently we see an increase in attacks on Polish users of electronic banking using this method. In comparison to previous, similar programs, the analyzed application has proven much more difficult to remove and it’s code was much better obfuscated.

Read more

The Postal Group

Date of publication: 14/10/2015, Łukasz Siewierski

During SECURE conference we have presented our findings about criminal group, which we called “Postal Group” (“Grupa pocztowa”) based on theris modus operandi. Detailed research regarding the group have been gathered in the form of report available under the link below.Read more

GMBot: Android poor man’s “webinjects”

Date of publication: 02/10/2015, Łukasz Siewierski

maldroidRecently, we obtained a sample of a new Android banking trojan, named GMBot, which tries to be self-contained (i.e. does not need Windows counterpart) and uses application overlay as a poor man’s webinjects substitute. This malware uses known and common techniques, but implements them in a way similar to the webinject-based malware known from Windows OS. This bot’s old source code, written in Java, was also available on a Google-indexed Russian file sharing website. While we want to stress out that GMBot does not do Android webinjects, it is hard not to draw a parallel between webinjects infrastructure and what GMbot does. Is this a glimpse in the future of mobile banking trojans?
Read more

iBanking is back in Poland

Date of publication: 16/01/2015, CERT Polska


iBanking malware was already described on our blog in connection with the attacks targeting Polish e-banking users at the end of 2013. This malware posed as a mobile antivirus application, while in reality it was use to steal one time passwords that were sent via text message. The attack scenario is very similar to the ones observed in the past, seen not only in Poland, but also in other countries. However, this time attackers also used QR codes, which are supposed to be more convenient for users then sending the app URL over the SMS.

Read more

Android RAT malware spreading via torrents

Date of publication: 11/08/2014, CERT Polska

maldroidIn the last few days we observed a number of new attacks targeting the Polish Android users. Many Polish and foreign blogs reported the phishing e-mails using Kaspersky brand to convience user to install an apk file. Below some details of this attack, including the malware analysis, are provided. Thanks to the cooperation of different actors, C&C server was taken down very quickly. Malware moved to the new C&C and changed its infection vectors. Below we also describe the new (though some may call it vintage) infection vector utilizing the BitTorrent network. We are sure that all of these attacks are performed by the same person or a group that created the VBKlip in the .NET version.
Read more

OTP stealer Android app masquerading as mobile antivirus targets Polish users

Date of publication: 17/12/2013, CERT Polska


The E-Security mobile malware appeared at the beginning of this year. This malware was targeting Polish online banking users, with the goal of stealing One Time Passwords (OTPs) used to confirm banking transactions. The attack was part of a bigger scheme. When the user computer was infected, it displayed an installation message when a user tried to log in to online banking website. This message instructed the user to install a mobile “certificate” app called “E-Security”. Recently this E-Security app was switched to a new one – more powerful and more dangerous, but essentially made for the same purpose – to steal OTPs sent via text messages to unknowing users.
Read more

What’s new, security-wise, in Android KitKat?

Date of publication: 08/11/2013, Łukasz Siewierski

malware-iconOn the 31st of October Google released a new version of the Android Operating System – 4.4 called KitKat. This version introduces a number of new features, including a handful of security improvements. It also introduces a new approach to SMS and MMS handling, which breaks the compatibility of some Android malware and makes it easier for users to spot a malware infection. This security improvement comes as a side effect to the new system-wide approach to messaging applications.
Read more

Evolution of an Android malware: the story of a friend of ZitMo

Date of publication: 12/06/2013, CERT Polska


Recently we blogged about a new threat to Polish e-banking users called “E-Security”. When a user, whose machine was infected, tried to access her internet banking site she was greeted with a message that instructed her to install “E-Security Certificate” application on her Android phone. This “certificate” was nothing more than a malware capable of forwarding short messages to the attacker. As the attacker had a login, password to the banking transaction system (this is because initially the user machine had to be infected) and could access the SMS one time password it was easily possibly for the attacker to initialize an unauthorized wire transfer from the victim’s account.

We then speculated about the other possible C&C communication channel. Instead of sending short messages via SMS, the malware could send all the messages using the HTTP protocol to a C&C server. This article presents a history of this malware that we were able to recover based on 10 different samples that claimed were four different versions. All of the samples were created for the Android platform.

Read more

5 sposobów aby Twój smartfon z Androidem był bardziej bezpieczny

Date of publication: 17/05/2013, Łukasz Siewierski

W dzisiejszych czasach, kiedy większość rynku telefonów komórkowych przejmują smartfony, warto pomyśleć o bezpieczeństwie. Traktuj swój smartfon z Androidem jak przenośny komputer. Oznacza to stosowanie tych samych zasad, które stosujesz w codziennym używaniu komputera i urządzeń przenośnych. Oto 5 prostych wskazówek, które pomogą Ci sprawić, że Twój telefon jest bezpieczny.

Read more