Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Trojan Steals Credit Card Info, Locks Devices Remotely

A new Android banking Trojan capable of spying on users and stealing credit card info is achieving persistency on infected devices by asking for device administrator rights and continuously showing the dialog window until the user gives in.

A new Android banking Trojan capable of spying on users and stealing credit card info is achieving persistency on infected devices by asking for device administrator rights and continuously showing the dialog window until the user gives in.

Researchers at Avast warn that the new Banker Trojan relies on social engineering and employs various evasion techniques in an attempt to remain undetected on the compromised devices.

The malicious program is installed on the infected devices under different names, including AVITO-MMS, KupiVip and MMS Центр (MMS Center), depending on the sample. After installation, an app icon is placed in the launcher, but the icon is hidden after the program’s first run, to make the Trojan more elusive.

The malware also checks whether it runs in an emulator, and, if it doesn’t, it starts a background timer that shows the Device Admin activation dialog in a continuous loop, even if the user presses the “Cancel” button. However, the dialog disappears if the user gives in and enables device administrator rights for the app.

After gaining admin rights, the malware repeats the process, but for setting the default SMS manager app. By gaining device admin rights, the Trojan makes it more difficult for users to uninstall it, while also allowing its operators to remotely lock the device, researchers say.

On smartphones running under Android Marshmallow, users can try to uninstall the application despite the continuous flood of request dialogues, by going to settings with the top-down swipe. Owners of devices running under Android KitKat, however, aren’t as fortunate and can get rid of the malware only after a factory reset.

The Trojan was designed to send information about the device to the command and control (C&C) server, to intercept incoming SMS messages and send them to the server, and to receive further commands from its operators.

The information sent to the C&C server includes device IMEI, ISO country code, SIM operator name, Android build version, Phone number, SIM serial number, info on whether the app has admin rights and if it is the default SMS app, the current version number of the Trojan, and generated unique user ID for the phone.

Advertisement. Scroll to continue reading.

Upon command, the Trojan can display a fake Google Play window on the infected device, prompting the victim to enter their credit card information. The malware also supports commands for downloading an APK and prompting the user to install it, locking the screen, and redirecting calls to a specific number. Moreover, it can get call logs, SMS inbox, bookmarks, contacts, a list of installed apps, and GPS coordinates of the device and send them to the C&C server.

According to Avast, the Trojan was most active in the first half of February, and it was targeting making users in Russia, followed by Germany, the U.S. and Czech Republic.

To stay protected, users should make sure they have an anti-malware program installed on their devices, and should also keep their data backed up at all times. Should the infection occur, however, users might be forced to reset their devices to factory settings to remove all installed apps and user data, including the malware.

Some of the most recent Android banking Trojans spotted in the wild include Asacub, which evolved from a spyware Trojan to a backdoor and then a banking malware, SlemBunk, a continuously evolving piece of malware, with 170 samples identified in mid-December to target users of 33 banking applications worldwide, and Xbot, which exhibits multiple malicious activities, ranging from stealing banking credentials and credit card information, to encrypting files on external storage.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.