Mobile’s Latest Malware Threat: The All-in-One Android Trojan

A new Android Trojan — dubbed Android.Banker.L — combines the functionality of banking Trojans, keyloggers and ransomware to compromise victim devices and steal data.

As reported by Quick Heal, the latest malware threat uses multiple methods simultaneously to attack user devices. In addition to a typical Android banking Trojan, the malware contains code that enables it to forward calls, record sound, conduct keylogging and deploy ransomware. It’s also able to launch device browsers with a URL received from its command-and-control (C&C) server, which is contacted via Twitter.

Once installed, Android.Banker.L repeatedly opens the Accessibility Settings page and asks users to turn on Accessibility Service, which allows it to leverage any device permission without the need for user input.

Why the Latest Malware Threat Is So Elusive

Quick Heal noted that the code’s main Android application package (APK) is “highly obfuscated and all strings are encrypted.” When it receives the command to encrypt all device files, it renames them and then deletes the originals.

This new attack uses financial phishing overlays that are displayed after specific applications are launched. The overlays look legitimate and encourage users to provide their login credentials.

Even if users suspect their device may have been infected, the malware takes steps to prevent deletion. For example, it displays a fake alert message warning that the “system does not work correctly” and encouraging users to disable Google Play Protect. It also displays a fake system alert for “error 495” if users attempt to uninstall the app, which is listed as “sistemguncelle.”

How Companies Can Defend Against Trojans

To combat mobile Trojans, IBM security experts recommend using unified endpoint management (UEM) solutions that offer dedicated mobile threat protection (MTP) tools and include real-time over-the-air updates, automatic detection and removal of infected apps, and the ability to intelligently identify rooted, jailbroken or compromised devices.

Security experts also advise organizations to use mobile sandbox solutions to help manage the gap between known good code and known bad code that can pose a threat to the IT environment.

Finally, users should always verify the legitimacy of any unsolicited email attachments through a separate channel and delete without opening if they are unable to validate.

via IBM

Read more »

PayThink 'Self-protection' can shield banks from new Android BankBot card malware

Recently, the Dutch company Securify came across a new sample of the BankBot Android mobile banking malware.

While older samples of BankBot mainly targeted Russian financial institutions, the latest sample shows that BankBot now targets European and American institutions as well. More specifically BankBot now targets over 420 leading institutions in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States.

BankBot is a banking Trojan horse that poses as an apparently benign consumer banking application. When the application is installed and run, it asks for administrative privileges. Once these privileges are granted, the icon disappears from the home screen. From that moment, the device is compromised and BankBot attempts to steal the customer’s credentials (e.g., username and PIN) and debit or credit card information.

Bloomberg News

BankBot tries to steal banking credentials by using a well-known technique called overlay. The malware creates a window that mimics the look and feel of the targeted mobile banking app, and it aims to trick users into entering their credentials. This overlay window is positioned on top of the target app when the user launches it. Because the fraudulent overlay window is created to look exactly like the target app, the user usually believes they are interacting with their institution’s genuine mobile banking app.

The BankBot malware comes with a list of names of mobile banking apps that it targets, and it compares names in this target list against the names of apps running on the Android device of the user. When BankBot detects that a running app is present in its target list, it generates the overlay window and positions it on top of the target app to deceive the device’s owner.

Technologists reviewing the following code snippet of BankBot can see exactly how the malware checks whether any of the processes running on the Android device are present in the target list, and how the malware launches the overlay injection routine. The comments in the code have been added by threat analyst Ernesto Corral to simplify reading.

The overlay itself consists of a customized WebView, which is an Android component that can be used to show a web page within an app. The content of the WebView is downloaded on the fly from the C2 server.

Can runtime application self-protection (RASP) offer protection? An analysis of a test shows RASP successfully defends mobile banking apps targeted by BankBot against overlay attacks. As a result, we can safely say that all of the more than 420 apps targeted by BankBot are protected, if so equipped. This is crucial because virtually all currently known malware families use the same deceptive overlay technique as BankBot. A good example of another malware family using this technique is Marcher, one of the most active banking malware families of 2016 according to Kaspersky’s report Financial Cyberthreats in 2016.

Moreover, RASP’s generic overlay protection mechanism ensures “future-proofing”: Any new mobile banking apps that are targeted by BankBot in the future using the same overlay technique, will also be protected.

Even if a banking Trojan should manage to steal a user’s banking credentials (his or her PIN, for instance), the user’s credentials would be of little value to a fraudster, if the app is protected with two-factor authentication, as were apps and devices in this test.

Apps protected in this way use two authentication elements: something the user knows (for example, the PIN) and something the user has (e.g., a cryptographic key stored on the mobile device), which is used to generate one-time passwords. While overlay attacks can be used to target the knowledge factor, they cannot attack the possession factor to steal the cryptographic key.

Analysts at the threat research labs used in this study analyzed the internals of malware such as Bankbot and Marcher. Findings show that at this point, many or most Android mobile banking malware families use the same approach to create fraudulent overlay windows that deceive users.

Based on lab testing, I and the threat research lab team are confident that RASP technology can, if properly developed and with sufficient security features to detect and prevent application-level intrusions, offer protection against all malware families that use this approach. Furthermore, two-factor authentication functionality can ensure that even successful overlay attacks can be thwarted.

via PaymentSource

Read more »

Stop the Phishing

Practical advice and free tools to help stop phishing attacks

Phishing caused 
$3.1 BILLION 
in damages in 2016.

Phishing is big business for the cyber crooks. With 89% of phishing attacks orchestrated by professional organized crime organizations, it’s essential to stay ahead of the game. 

This whitepaper will help explain what you’re up against so you can make sure your organization doesn’t take the bait.

Don’t Take the Bait Whitepaper

Read more »