Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Trojan Prevents Security Apps From Launching

A newly discovered Android banking Trojan has been designed not only to be resilient to anti-malware applications, but also to counter them by preventing them from launching, Fortinet security researchers warn.

A newly discovered Android banking Trojan has been designed not only to be resilient to anti-malware applications, but also to counter them by preventing them from launching, Fortinet security researchers warn.

Detected as Android/Banker.GT!tr.spy, the new malware family was designed to steal banking information from the users of 15 different mobile banking apps for German banks. What’s more, the Trojan’s authors can control the list of targeted applications from the command and control (C&C) server, meaning that they could easily target more of them.

The malware masquerades as an email application and even displays an icon in the launcher. However, similar to some other mobile threats, it tricks users into providing it with administrative privileges. At this point, the Trojan’s icon is hidden from the launcher, although the malicious software remains active in the background.

The program requests permissions to read phone state, read contacts, get tasks, write settings, directly call phone numbers, read/write/send/receive SMS messages, access and change network state, and more. After installation, the malware spawns three services that will run in the background: GPService2, FDService and AdminRightsService.

The GPService2 service, Fortinet researchers say, is meant to monitor all running processes on the device, as well as to attack the aforementioned banking apps by displaying a customized screen overlay resembling the window of the legitimate software. The malware includes a different customized login screen for each bank and displays the appropriate one when the respective app is launched.

The monitoring service is also responsible for hindering some anti-virus mobile apps and service utilities by preventing them from launching. What’s more, the service includes a function for communicating with the C&C server to request and receive the appropriate payload for each targeted bank.

The FDService component monitors all running processes on the device but the author also designed it to target specific apps, which researchers say might include popular social media apps in addition to banking software. The service can also display a fake Google Play overlay to trick users into entering their credit card information.

The AdminRightsService was meant to ask for administrative privileges when the malware runs for the first time. As soon as the user grants the admin rights, the malware becomes more difficult to remove, Fortinet’s security researchers explain.

After installation, the Trojan collects information about the device and sends it to the C&C server, after which it awaits for commands to carry out. The malware supports commands such as intercept incoming SMS messages, send a text message, send a USSD request, send SMS messages to all contact list numbers, change the address of the C&C server, add/delete an app to the exclusion list, download an updated targeted apps list from C&C server, display a templated-based dialog using Webview, and send information collected from device to C&C server.

The malware communicates with the C&C server via HTTPS. In addition to the stolen banking credentials, it sends information such as device IMEI, the ISO country code, Android build version, device model, and phone number. It also collects a list of installed applications and sends it to the server.

To remove the Trojan, users should first disable its administrator rights by heading to Settings -> Security -> Device administrators -> Device Admin -> Deactivate. Next, they can uninstall the malicious program with the help of ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’.

Related: Hundreds of Thousands of Android Trojans Installed from Unknown Sources Daily

Related: Tordow Android Trojan Gets Root Privileges for New Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.