A newly discovered Android banking Trojan has been designed not only to be resilient to anti-malware applications, but also to counter them by preventing them from launching, Fortinet security researchers warn.
Detected as Android/Banker.GT!tr.spy, the new malware family was designed to steal banking information from the users of 15 different mobile banking apps for German banks. What’s more, the Trojan’s authors can control the list of targeted applications from the command and control (C&C) server, meaning that they could easily target more of them.
The malware masquerades as an email application and even displays an icon in the launcher. However, similar to some other mobile threats, it tricks users into providing it with administrative privileges. At this point, the Trojan’s icon is hidden from the launcher, although the malicious software remains active in the background.
The program requests permissions to read phone state, read contacts, get tasks, write settings, directly call phone numbers, read/write/send/receive SMS messages, access and change network state, and more. After installation, the malware spawns three services that will run in the background: GPService2, FDService and AdminRightsService.
The GPService2 service, Fortinet researchers say, is meant to monitor all running processes on the device, as well as to attack the aforementioned banking apps by displaying a customized screen overlay resembling the window of the legitimate software. The malware includes a different customized login screen for each bank and displays the appropriate one when the respective app is launched.
The monitoring service is also responsible for hindering some anti-virus mobile apps and service utilities by preventing them from launching. What’s more, the service includes a function for communicating with the C&C server to request and receive the appropriate payload for each targeted bank.
The FDService component monitors all running processes on the device but the author also designed it to target specific apps, which researchers say might include popular social media apps in addition to banking software. The service can also display a fake Google Play overlay to trick users into entering their credit card information.
The AdminRightsService was meant to ask for administrative privileges when the malware runs for the first time. As soon as the user grants the admin rights, the malware becomes more difficult to remove, Fortinet’s security researchers explain.
After installation, the Trojan collects information about the device and sends it to the C&C server, after which it awaits for commands to carry out. The malware supports commands such as intercept incoming SMS messages, send a text message, send a USSD request, send SMS messages to all contact list numbers, change the address of the C&C server, add/delete an app to the exclusion list, download an updated targeted apps list from C&C server, display a templated-based dialog using Webview, and send information collected from device to C&C server.
The malware communicates with the C&C server via HTTPS. In addition to the stolen banking credentials, it sends information such as device IMEI, the ISO country code, Android build version, device model, and phone number. It also collects a list of installed applications and sends it to the server.
To remove the Trojan, users should first disable its administrator rights by heading to Settings -> Security -> Device administrators -> Device Admin -> Deactivate. Next, they can uninstall the malicious program with the help of ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’.
Related: Hundreds of Thousands of Android Trojans Installed from Unknown Sources Daily
Related: Tordow Android Trojan Gets Root Privileges for New Attacks