Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Trojan Steals Credit Card Info, Locks Devices Remotely

A new Android banking Trojan capable of spying on users and stealing credit card info is achieving persistency on infected devices by asking for device administrator rights and continuously showing the dialog window until the user gives in.

A new Android banking Trojan capable of spying on users and stealing credit card info is achieving persistency on infected devices by asking for device administrator rights and continuously showing the dialog window until the user gives in.

Researchers at Avast warn that the new Banker Trojan relies on social engineering and employs various evasion techniques in an attempt to remain undetected on the compromised devices.

The malicious program is installed on the infected devices under different names, including AVITO-MMS, KupiVip and MMS Центр (MMS Center), depending on the sample. After installation, an app icon is placed in the launcher, but the icon is hidden after the program’s first run, to make the Trojan more elusive.

The malware also checks whether it runs in an emulator, and, if it doesn’t, it starts a background timer that shows the Device Admin activation dialog in a continuous loop, even if the user presses the “Cancel” button. However, the dialog disappears if the user gives in and enables device administrator rights for the app.

After gaining admin rights, the malware repeats the process, but for setting the default SMS manager app. By gaining device admin rights, the Trojan makes it more difficult for users to uninstall it, while also allowing its operators to remotely lock the device, researchers say.

On smartphones running under Android Marshmallow, users can try to uninstall the application despite the continuous flood of request dialogues, by going to settings with the top-down swipe. Owners of devices running under Android KitKat, however, aren’t as fortunate and can get rid of the malware only after a factory reset.

The Trojan was designed to send information about the device to the command and control (C&C) server, to intercept incoming SMS messages and send them to the server, and to receive further commands from its operators.

The information sent to the C&C server includes device IMEI, ISO country code, SIM operator name, Android build version, Phone number, SIM serial number, info on whether the app has admin rights and if it is the default SMS app, the current version number of the Trojan, and generated unique user ID for the phone.

Upon command, the Trojan can display a fake Google Play window on the infected device, prompting the victim to enter their credit card information. The malware also supports commands for downloading an APK and prompting the user to install it, locking the screen, and redirecting calls to a specific number. Moreover, it can get call logs, SMS inbox, bookmarks, contacts, a list of installed apps, and GPS coordinates of the device and send them to the C&C server.

According to Avast, the Trojan was most active in the first half of February, and it was targeting making users in Russia, followed by Germany, the U.S. and Czech Republic.

To stay protected, users should make sure they have an anti-malware program installed on their devices, and should also keep their data backed up at all times. Should the infection occur, however, users might be forced to reset their devices to factory settings to remove all installed apps and user data, including the malware.

Some of the most recent Android banking Trojans spotted in the wild include Asacub, which evolved from a spyware Trojan to a backdoor and then a banking malware, SlemBunk, a continuously evolving piece of malware, with 170 samples identified in mid-December to target users of 33 banking applications worldwide, and Xbot, which exhibits multiple malicious activities, ranging from stealing banking credentials and credit card information, to encrypting files on external storage.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.