A new Android banking Trojan capable of spying on users and stealing credit card info is achieving persistency on infected devices by asking for device administrator rights and continuously showing the dialog window until the user gives in.
Researchers at Avast warn that the new Banker Trojan relies on social engineering and employs various evasion techniques in an attempt to remain undetected on the compromised devices.
The malicious program is installed on the infected devices under different names, including AVITO-MMS, KupiVip and MMS Центр (MMS Center), depending on the sample. After installation, an app icon is placed in the launcher, but the icon is hidden after the program’s first run, to make the Trojan more elusive.
The malware also checks whether it runs in an emulator, and, if it doesn’t, it starts a background timer that shows the Device Admin activation dialog in a continuous loop, even if the user presses the “Cancel” button. However, the dialog disappears if the user gives in and enables device administrator rights for the app.
After gaining admin rights, the malware repeats the process, but for setting the default SMS manager app. By gaining device admin rights, the Trojan makes it more difficult for users to uninstall it, while also allowing its operators to remotely lock the device, researchers say.
On smartphones running under Android Marshmallow, users can try to uninstall the application despite the continuous flood of request dialogues, by going to settings with the top-down swipe. Owners of devices running under Android KitKat, however, aren’t as fortunate and can get rid of the malware only after a factory reset.
The Trojan was designed to send information about the device to the command and control (C&C) server, to intercept incoming SMS messages and send them to the server, and to receive further commands from its operators.
The information sent to the C&C server includes device IMEI, ISO country code, SIM operator name, Android build version, Phone number, SIM serial number, info on whether the app has admin rights and if it is the default SMS app, the current version number of the Trojan, and generated unique user ID for the phone.
Upon command, the Trojan can display a fake Google Play window on the infected device, prompting the victim to enter their credit card information. The malware also supports commands for downloading an APK and prompting the user to install it, locking the screen, and redirecting calls to a specific number. Moreover, it can get call logs, SMS inbox, bookmarks, contacts, a list of installed apps, and GPS coordinates of the device and send them to the C&C server.
According to Avast, the Trojan was most active in the first half of February, and it was targeting making users in Russia, followed by Germany, the U.S. and Czech Republic.
To stay protected, users should make sure they have an anti-malware program installed on their devices, and should also keep their data backed up at all times. Should the infection occur, however, users might be forced to reset their devices to factory settings to remove all installed apps and user data, including the malware.
Some of the most recent Android banking Trojans spotted in the wild include Asacub, which evolved from a spyware Trojan to a backdoor and then a banking malware, SlemBunk, a continuously evolving piece of malware, with 170 samples identified in mid-December to target users of 33 banking applications worldwide, and Xbot, which exhibits multiple malicious activities, ranging from stealing banking credentials and credit card information, to encrypting files on external storage.