Security Experts:

Asacub Android Malware: Spyware, Banking Trojan, and Backdoor

An active Android threat in early 2016 is Asacub, a mobile malware Trojan that has been used to infect thousands of users in Russia in a recent SMS spam campaign, researchers warn.

Dubbed Trojan-Banker.AndroidOS.Asacub, the malware was recently found to have initially emerged on the threat landscape as a spyware Trojan and to have one of its command and control (C&C) servers at chugumshimusona[.]com, also used by CoreBot, a Windows Trojan that appeared in August 2015. In September, CoreBot was said to have become a full-fledged banking Trojan, and Asacub is now said to have followed a similar path.

The malware was used in an a week-long campaign from Dec. 28, 2015 to Jan. 4, 2016, which affected more than 6,500 unique users in Russia via SMS spam, but the activity has declined, a recent post on Kaspersky Lab’s Securelist reveals.

The Asacub variant used in this campaign is said to be the last modification known to date, and focused on grabbing banking information from infected devices. However, the malware has seen at least three major modifications in the past half a year, as cybercriminals changed it from spyware to a banking Trojan, Kaspersky says.

Spotted in June 2015, Asacub was designed to steal all incoming SMS messages from infected devices, and to upload them to a malicious server. It also supported various commands received from the C&C server, such as accessing browser history,  contacts, and a list of installed applications. The threat was also able to turn off the phone’s screen, and send SMS with a specified text to a specified number.

In July, a second Asacub variant emerged, which used logos of European banks in their interface and added support for more functions. It could delete SMS, set a new time interval for contacting the C&C and upload it to the C&C, mute the phone, keep device processor running while screen is off, and execute commands in the device’s command line.

Researchers also discovered a Reverse shell command in the Trojan, which allows cybercriminals to execute commands on the device and see the outputs of these commands.

Another variant, which was detected in September 2015, changed functionality and is more focused on stealing banking information compared to previous variants. It also includes a series of phishing screens with bank logos, including one for a large Russian bank, albeit the text in the screen referred to Ukrainian bank Privat24.

In addition to displaying a phishing window used to steal bank card data, the malware is also able to upload user information to a malicious server, can enable call forwarding to a specified number, run a specified USSD request, download and install a file, turn off phone’s screen, and send SMS, Kaspersky said. It was also found to include the logo of a US bank, although no attacks in the US have been registered so far.

Toward the end of 2015, a fresh Asacub modification, the one used in the Russian SMS spam campaign, was found to be sending device’s coordinates to the attacker and could take snapshots with the phone’s camera. A network_protocol command was also found in the Trojan, expected to be used in the future to interact with the C&C server, but apparently doing nothing at the moment.

Some of the most recent Android banking Trojans spotted in the wild include Bankosy, which was designed to deceive voice call-based two-factor authorization (2FA) systems, and SlemBunk, a piece of malware found to be continuously evolving, with 170 samples identified in mid-December to target users of 33 applications offered by banks and service providers in North America, Europe and Asia-Pacific.

view counter