Analysis of a Polish BankBot

Recently we have observed campaigns of a banking malware for Android system, which targets Polish users. The malware is a variant of the popular BankBot family, but differs from the main BankBot samples. Its victims were infected by installing a malicious application from Google Play Store. We are aware of at least 3 applications that were smuggled to Google Play Store and bypassed its antivirus protection:

• Crypto Monitor
• StorySaver
• Cryptocurrencies Market Prices

The last one is an older version which was uploaded to VirusTotal on 13.10.2017.

According to the ESET’s analysis “Crypto Monitor” and “StorySaver” reached between 1000 and 5000 downloads. In each case, the malware pretended to be a benign, useful application.

Read more

GMBot (also known as slempo) was described on our blog on October 2015. This malicious application for phishing login and password associated with a specific user of electronic banking uses known and common techniques of application overlay. It is nothing else but a normal phishing attack, very similar to the webinject-based malware known from Windows OS. As we expected earlier, using application overlay has become quite popular in android malicious applications. In the last six months, a few new versions of GMBot (and similar applications) were developed. In each case the overlay only involved the applications installed on the phone (banking applications, messaging, e-mail). Last week, our lab received a sample, which is also trying to overlay mobile web browser in order to steal the authentication credentials.

Read more

Our CERT laboratory recently received a sample of iBanking malware (along with a malicious JavaScript code snippet associated with it), posing as the mobile Trusteer Rapport antimalware solution. The attack scenario isn’t new, it has been used many times in the past, but recently we see an increase in attacks on Polish users of electronic banking using this method. In comparison to previous, similar programs, the analyzed application has proven much more difficult to remove and it’s code was much better obfuscated.

Read more

During SECURE conference we have presented our findings about criminal group, which we called “Postal Group” (“Grupa pocztowa”) based on theris modus operandi. Detailed research regarding the group have been gathered in the form of report available under the link below.Read more

Recently, we obtained a sample of a new Android banking trojan, named GMBot, which tries to be self-contained (i.e. does not need Windows counterpart) and uses application overlay as a poor man’s webinjects substitute. This malware uses known and common techniques, but implements them in a way similar to the webinject-based malware known from Windows OS. This bot’s old source code, written in Java, was also available on a Google-indexed Russian file sharing website. While we want to stress out that GMBot does not do Android webinjects, it is hard not to draw a parallel between webinjects infrastructure and what GMbot does. Is this a glimpse in the future of mobile banking trojans?
Read more

iBanking malware was already described on our blog in connection with the attacks targeting Polish e-banking users at the end of 2013. This malware posed as a mobile antivirus application, while in reality it was use to steal one time passwords that were sent via text message. The attack scenario is very similar to the ones observed in the past, seen not only in Poland, but also in other countries. However, this time attackers also used QR codes, which are supposed to be more convenient for users then sending the app URL over the SMS.

Read more

In the last few days we observed a number of new attacks targeting the Polish Android users. Many Polish and foreign blogs reported the phishing e-mails using Kaspersky brand to convience user to install an apk file. Below some details of this attack, including the malware analysis, are provided. Thanks to the cooperation of different actors, C&C server was taken down very quickly. Malware moved to the new C&C and changed its infection vectors. Below we also describe the new (though some may call it vintage) infection vector utilizing the BitTorrent network. We are sure that all of these attacks are performed by the same person or a group that created the VBKlip in the .NET version.
Read more

The E-Security mobile malware appeared at the beginning of this year. This malware was targeting Polish online banking users, with the goal of stealing One Time Passwords (OTPs) used to confirm banking transactions. The attack was part of a bigger scheme. When the user computer was infected, it displayed an installation message when a user tried to log in to online banking website. This message instructed the user to install a mobile “certificate” app called “E-Security”. Recently this E-Security app was switched to a new one – more powerful and more dangerous, but essentially made for the same purpose – to steal OTPs sent via text messages to unknowing users.
Read more

On the 31st of October Google released a new version of the Android Operating System – 4.4 called KitKat. This version introduces a number of new features, including a handful of security improvements. It also introduces a new approach to SMS and MMS handling, which breaks the compatibility of some Android malware and makes it easier for users to spot a malware infection. This security improvement comes as a side effect to the new system-wide approach to messaging applications.
Read more

Recently we blogged about a new threat to Polish e-banking users called “E-Security”. When a user, whose machine was infected, tried to access her internet banking site she was greeted with a message that instructed her to install “E-Security Certificate” application on her Android phone. This “certificate” was nothing more than a malware capable of forwarding short messages to the attacker. As the attacker had a login, password to the banking transaction system (this is because initially the user machine had to be infected) and could access the SMS one time password it was easily possibly for the attacker to initialize an unauthorized wire transfer from the victim’s account.

We then speculated about the other possible C&C communication channel. Instead of sending short messages via SMS, the malware could send all the messages using the HTTP protocol to a C&C server. This article presents a history of this malware that we were able to recover based on 10 different samples that claimed were four different versions. All of the samples were created for the Android platform.

Read more