Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Asacub Android Malware: Spyware, Banking Trojan, and Backdoor

An active Android threat in early 2016 is Asacub, a mobile malware Trojan that has been used to infect thousands of users in Russia in a recent SMS spam campaign, researchers warn.

An active Android threat in early 2016 is Asacub, a mobile malware Trojan that has been used to infect thousands of users in Russia in a recent SMS spam campaign, researchers warn.

Dubbed Trojan-Banker.AndroidOS.Asacub, the malware was recently found to have initially emerged on the threat landscape as a spyware Trojan and to have one of its command and control (C&C) servers at chugumshimusona[.]com, also used by CoreBot, a Windows Trojan that appeared in August 2015. In September, CoreBot was said to have become a full-fledged banking Trojan, and Asacub is now said to have followed a similar path.

The malware was used in an a week-long campaign from Dec. 28, 2015 to Jan. 4, 2016, which affected more than 6,500 unique users in Russia via SMS spam, but the activity has declined, a recent post on Kaspersky Lab’s Securelist reveals.

The Asacub variant used in this campaign is said to be the last modification known to date, and focused on grabbing banking information from infected devices. However, the malware has seen at least three major modifications in the past half a year, as cybercriminals changed it from spyware to a banking Trojan, Kaspersky says.

Spotted in June 2015, Asacub was designed to steal all incoming SMS messages from infected devices, and to upload them to a malicious server. It also supported various commands received from the C&C server, such as accessing browser history,  contacts, and a list of installed applications. The threat was also able to turn off the phone’s screen, and send SMS with a specified text to a specified number.

In July, a second Asacub variant emerged, which used logos of European banks in their interface and added support for more functions. It could delete SMS, set a new time interval for contacting the C&C and upload it to the C&C, mute the phone, keep device processor running while screen is off, and execute commands in the device’s command line.

Researchers also discovered a Reverse shell command in the Trojan, which allows cybercriminals to execute commands on the device and see the outputs of these commands.

Another variant, which was detected in September 2015, changed functionality and is more focused on stealing banking information compared to previous variants. It also includes a series of phishing screens with bank logos, including one for a large Russian bank, albeit the text in the screen referred to Ukrainian bank Privat24.

Advertisement. Scroll to continue reading.

In addition to displaying a phishing window used to steal bank card data, the malware is also able to upload user information to a malicious server, can enable call forwarding to a specified number, run a specified USSD request, download and install a file, turn off phone’s screen, and send SMS, Kaspersky said. It was also found to include the logo of a US bank, although no attacks in the US have been registered so far.

Toward the end of 2015, a fresh Asacub modification, the one used in the Russian SMS spam campaign, was found to be sending device’s coordinates to the attacker and could take snapshots with the phone’s camera. A network_protocol command was also found in the Trojan, expected to be used in the future to interact with the C&C server, but apparently doing nothing at the moment.

Some of the most recent Android banking Trojans spotted in the wild include Bankosy, which was designed to deceive voice call-based two-factor authorization (2FA) systems, and SlemBunk, a piece of malware found to be continuously evolving, with 170 samples identified in mid-December to target users of 33 applications offered by banks and service providers in North America, Europe and Asia-Pacific.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.