Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Asacub Android Malware: Spyware, Banking Trojan, and Backdoor

An active Android threat in early 2016 is Asacub, a mobile malware Trojan that has been used to infect thousands of users in Russia in a recent SMS spam campaign, researchers warn.

An active Android threat in early 2016 is Asacub, a mobile malware Trojan that has been used to infect thousands of users in Russia in a recent SMS spam campaign, researchers warn.

Dubbed Trojan-Banker.AndroidOS.Asacub, the malware was recently found to have initially emerged on the threat landscape as a spyware Trojan and to have one of its command and control (C&C) servers at chugumshimusona[.]com, also used by CoreBot, a Windows Trojan that appeared in August 2015. In September, CoreBot was said to have become a full-fledged banking Trojan, and Asacub is now said to have followed a similar path.

The malware was used in an a week-long campaign from Dec. 28, 2015 to Jan. 4, 2016, which affected more than 6,500 unique users in Russia via SMS spam, but the activity has declined, a recent post on Kaspersky Lab’s Securelist reveals.

The Asacub variant used in this campaign is said to be the last modification known to date, and focused on grabbing banking information from infected devices. However, the malware has seen at least three major modifications in the past half a year, as cybercriminals changed it from spyware to a banking Trojan, Kaspersky says.

Spotted in June 2015, Asacub was designed to steal all incoming SMS messages from infected devices, and to upload them to a malicious server. It also supported various commands received from the C&C server, such as accessing browser history,  contacts, and a list of installed applications. The threat was also able to turn off the phone’s screen, and send SMS with a specified text to a specified number.

In July, a second Asacub variant emerged, which used logos of European banks in their interface and added support for more functions. It could delete SMS, set a new time interval for contacting the C&C and upload it to the C&C, mute the phone, keep device processor running while screen is off, and execute commands in the device’s command line.

Researchers also discovered a Reverse shell command in the Trojan, which allows cybercriminals to execute commands on the device and see the outputs of these commands.

Another variant, which was detected in September 2015, changed functionality and is more focused on stealing banking information compared to previous variants. It also includes a series of phishing screens with bank logos, including one for a large Russian bank, albeit the text in the screen referred to Ukrainian bank Privat24.

In addition to displaying a phishing window used to steal bank card data, the malware is also able to upload user information to a malicious server, can enable call forwarding to a specified number, run a specified USSD request, download and install a file, turn off phone’s screen, and send SMS, Kaspersky said. It was also found to include the logo of a US bank, although no attacks in the US have been registered so far.

Toward the end of 2015, a fresh Asacub modification, the one used in the Russian SMS spam campaign, was found to be sending device’s coordinates to the attacker and could take snapshots with the phone’s camera. A network_protocol command was also found in the Trojan, expected to be used in the future to interact with the C&C server, but apparently doing nothing at the moment.

Some of the most recent Android banking Trojans spotted in the wild include Bankosy, which was designed to deceive voice call-based two-factor authorization (2FA) systems, and SlemBunk, a piece of malware found to be continuously evolving, with 170 samples identified in mid-December to target users of 33 applications offered by banks and service providers in North America, Europe and Asia-Pacific.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...