Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Trojan Prevents Security Apps From Launching

A newly discovered Android banking Trojan has been designed not only to be resilient to anti-malware applications, but also to counter them by preventing them from launching, Fortinet security researchers warn.

A newly discovered Android banking Trojan has been designed not only to be resilient to anti-malware applications, but also to counter them by preventing them from launching, Fortinet security researchers warn.

Detected as Android/Banker.GT!tr.spy, the new malware family was designed to steal banking information from the users of 15 different mobile banking apps for German banks. What’s more, the Trojan’s authors can control the list of targeted applications from the command and control (C&C) server, meaning that they could easily target more of them.

The malware masquerades as an email application and even displays an icon in the launcher. However, similar to some other mobile threats, it tricks users into providing it with administrative privileges. At this point, the Trojan’s icon is hidden from the launcher, although the malicious software remains active in the background.

The program requests permissions to read phone state, read contacts, get tasks, write settings, directly call phone numbers, read/write/send/receive SMS messages, access and change network state, and more. After installation, the malware spawns three services that will run in the background: GPService2, FDService and AdminRightsService.

The GPService2 service, Fortinet researchers say, is meant to monitor all running processes on the device, as well as to attack the aforementioned banking apps by displaying a customized screen overlay resembling the window of the legitimate software. The malware includes a different customized login screen for each bank and displays the appropriate one when the respective app is launched.

The monitoring service is also responsible for hindering some anti-virus mobile apps and service utilities by preventing them from launching. What’s more, the service includes a function for communicating with the C&C server to request and receive the appropriate payload for each targeted bank.

The FDService component monitors all running processes on the device but the author also designed it to target specific apps, which researchers say might include popular social media apps in addition to banking software. The service can also display a fake Google Play overlay to trick users into entering their credit card information.

The AdminRightsService was meant to ask for administrative privileges when the malware runs for the first time. As soon as the user grants the admin rights, the malware becomes more difficult to remove, Fortinet’s security researchers explain.

Advertisement. Scroll to continue reading.

After installation, the Trojan collects information about the device and sends it to the C&C server, after which it awaits for commands to carry out. The malware supports commands such as intercept incoming SMS messages, send a text message, send a USSD request, send SMS messages to all contact list numbers, change the address of the C&C server, add/delete an app to the exclusion list, download an updated targeted apps list from C&C server, display a templated-based dialog using Webview, and send information collected from device to C&C server.

The malware communicates with the C&C server via HTTPS. In addition to the stolen banking credentials, it sends information such as device IMEI, the ISO country code, Android build version, device model, and phone number. It also collects a list of installed applications and sends it to the server.

To remove the Trojan, users should first disable its administrator rights by heading to Settings -> Security -> Device administrators -> Device Admin -> Deactivate. Next, they can uninstall the malicious program with the help of ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’.

Related: Hundreds of Thousands of Android Trojans Installed from Unknown Sources Daily

Related: Tordow Android Trojan Gets Root Privileges for New Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.