FortiGuard Labs Threat Research
Summary
We recently found an Android banking malware masquerading as an email app that targets several large German banks. This banking malware is designed to steal login credentials from 15 different mobile banking apps for German banks. It also has the ability to resist anti-virus mobile apps, as well as hinder 30 different anti-virus programs and prevent them from launching.
Install the malware
The malware masquerades as an email app. Once installed, its icon appears in the launcher, as shown below.
Figure 1. Malware App Icon
Figure 2. Request device administrator rights
Like the Android malware in my previous blog (android banker malware masquerades as Flash Player targeting large banks), this malware tricks the user into providing the device with administrator rights. The fake email icon (the malware app) is then hidden from the launcher, but the malware remains active in the background.
The permissions available to this malware app are shown below.
Figure 3. Permissions of the malware
As you can see, it now owns some dangerous permissions, such as “directly call phone number,,”send SMS messages,” “receive text messages (SMS),” etc.
How the malware works
Here is a detailed technical analysis on how the malware works. The following is the key snippet code used when the malware starts launching.
Using the above code, the malware starts three services (GPService2, FDService and AdminRightsService) and hides its icon. These services continue to run in the background.
Next, we analyze three services run by this malware.
1. GPService2 Service
This service runs in the background and monitors all running processes on the device, and also attacks the targeted banks. It prompts the user with a customized screen overlay that resembles the legitimate banking app when that app is launched. It includes a different customized login screen for each bank. Additionally, this monitoring service also tries to hinder some anti-virus mobile apps and service utilities, preventing them from launching.
The following is the key code used in the implementation of GPService2.
List v3 is stored with the running process names. Following is the definition of the class com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.
From the above code, we can see that com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.a is the package name of this malware, com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.b stores the targeted banks and their payload urls, com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.c should be the targeted apps list in the future, which will be confirmed in our analysis, and com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d stores the targeted anti-virus apps.
The definition of the i.b function is shown below.
Using the above code the malware can detect when the user is launching an anti-virus app. The malware then checks to see if this anti-virus app is on the list com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d. If yes, it returns to the HOME launcher screen and then hinders the anti-virus app from launching.
Next is the definition of the this.a function.
The function is mainly used to communicate with the C2 server to request and receive the appropriate payload for each targeted bank. It uses a customized webview overlay on the top of the legitimate app. The following is the implementation of DialogCustomWeb.
2. FDService Service
This service runs in the background and monitors all running processes on the device. It also attacks the targeted app list. The targeted app list is currently empty. The author probably intends to add new targeted apps in the future. We speculate that it may also include some popular social media apps. It then prompts the user with a fake google play card screen overlay that resembles the legitimate app when that app is launched. We will continue to monitor this malware family and report if new targeted apps are added in the future.
The following is the key code in the implementation of FDService.
The variable com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.c is currently empty. DialogGooglePlayCard is a faked activity of the Google play card that overlays on top of the legitimate app and lures the user into submitting their credit card info.
3. AdminRightsService Service
This service requests device administrator rights when the malware is launched for the first time. Once done, this makes the app more difficult to remove.
Stealing info from victims and getting commands from C&C
After the malware is installed, it collects information about the device, sends it to its C&C server, and waits for the server to respond with new commands to carry out.
The following code snippet is used to parse the server response and execute new commands.
The class APIHandlerFactory is used to handle the commands received from the C2 server.
@Keep public static a invoke_getHnd(String arg1) {
n v0_2;
if(arg1.contains(b.h)) {
com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.i v0 = new com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.i();
}
else if(arg1.contains(b.o)) {
l v0_1 = new l();
}
else if(arg1.contains(b.j)) {
v0_2 = new n();
}
else if(arg1.contains(b.i)) {
p v0_3 = new p();
}
else if(arg1.contains(b.p)) {
d v0_4 = new d();
}
else if(arg1.contains(b.G)) {
com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.b v0_5 = new com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.b();
}
else if(arg1.contains(b.q)) {
com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.c v0_6 = new com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.c();
}
else if(arg1.contains(b.r)) {
r v0_7 = new r();
}
else if(arg1.contains(b.s)) {
q v0_8 = new q();
}
else if(arg1.contains(b.t)) {
s v0_9 = new s();
}
else if(arg1.contains(b.u)) {
o v0_10 = new o();
}
else if(arg1.equals(b.v)) {
h v0_11 = new h();
}
else if(arg1.equals(b.w)) {
g v0_12 = new g();
}
else if(arg1.equals(b.x)) {
com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.a v0_13 = new com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.b.a();
}
else if(arg1.equals(b.l)) {
j v0_14 = new j();
}
else if(arg1.equals(b.m)) {
m v0_15 = new m();
}
else if(arg1.equals(b.y)) {
k v0_16 = new k();
}
else {
a v0_17 = null;
}
return ((a)v0_2);
}
}
The malware can receive the following commands from the C2 server.
The device info, which is collected and sent to the C&C server, includes the device IMEI, the ISO country code, its Android build version, the device model, and the phone number. The traffic is shown below. The malware communicates with the C2 server via HTTPS. Following are the decrypted request and response packets.
The version info may be the creation date of the malware app, which is 11/06/16.
The malware app can also collect the installed app list and send it to C2.
Next, we see how to execute the command ‘killStart’ to set a new password for the screenlock.
The function t.a is used to reset a new password for screenlock. When the malware receives the command “killStart” from C2 server, it sets the password as 9991. Additionally, we also found other code that called the function t.a and set the password to 8320.
Target large bank apps in Germany
We found that there are 15 banking apps in the targeted app list, as shown below.
It is entirely possible that additional banks or other organizations could be added in future releases of this malware.
Once this malicious app is installed and device administrator rights are granted, when the user first launches a targeted banking app the malicious app sends a request via HTTPS to its C2 server to get the payload. The C2 server then responds with a fake customized login webpage, and the malicious app displays this fake customized login screen overlay on top of the legitimate banking app to collect entered banking credentials.
There is a different customized login screen for each bank targeted by this malware.
Stealing authentication information
We will now analyze the process used to steal authentication information through a targeted bank app overlay. This process is identical for any of the overlays the malware inserts for any of the targeted banks.
The following shows the traffic captured when the malware downloads the fake bank payload from its C2 server. The C2 server provides a customized login screen that is used as an overlay on top of the legitimate app.
Once the user submits the authentication information, the malware sends the info to its C2 Server. It communicates with the C2 server via HTTPS.
Resistance to anti-virus mobile apps
The malware also tries to hinder some anti-virus mobile apps and service utilities by preventing them from launching. These apps include:
How to remove the malware
First, the user can disable the malware’s device administrator rights in Settings -> Security -> Device administrators -> Device Admin -> Deactivate.
Then the user can uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’.
Solution
The malware sample is detected by Fortinet Antivirus signature Android/Banker.GT!tr.spy.
The traffic submitting the stolen info to C&C server can be detected by Fortinet IPS signature Android.Banker.German.Malware.C2.
Conclusion
This malware implements multiple malicious functionalities in a single app and takes full advantage of a successful infection. It targets 15 large German banks and displays a customized screen overlay on top of each bank’s legitimate app. It also has functionality for resistance to anti-virus mobile apps, and can hinder 30 different anti-virus programs and prevent them from launching. The attacker can control the list of legitimate apps to be targeted via C&C commands.
We will continue to monitor future activities from this malware family and ensure that an adequate security solution is developed in our products.
Appendix
Hash
SHA256: 216cde0f92e601ec0e65218f9cc13dc22bdf6cb7e46c2d2a22a7dc4488238e1b
polo777555lolo[.]at
polo569noso[.]at
wahamer8lol77j[.]at