The cybercriminals behind a campaign first analyzed in 2014 continue to improve their Android malware, including with anti-analysis mechanisms, device rooting capabilities, and remote access features via the TeamViewer app.
Operation Emmental was discovered by Trend Micro researchers in 2014, when attackers leveraged a combination of Android malware, rogue DNS servers and phishing websites to steal user data and bypass the SMS-based two-factor authentication systems of many financial institutions in Europe and Japan.
The security firm revisited Operation Emmental in January 2016, after noticing that the cybercriminals had updated their malware with a feature designed to lock users out of their smartphones. The malicious applications, named “SmsSecurity,” were designed to mimic one-time password (OTP) generators for various banks and the goal of the lockout feature was most likely to keep the victims occupied while their bank accounts were looted.
Trend Micro on Thursday reported that the SmsSecurity apps have been enhanced with new capabilities. In addition to stealing passwords found in SMS messages, the Android malware, detected as ANDROIDOS_FAKEBANK.OPSA, is now designed to make dynamic analysis more difficult.
Furthermore, the Trojan tricks users into activating accessibility services, which allows it to simulate user actions on the infected phone. Accessibility services are abused to install a device rooting tool and provide administrator privileges to the malware without any user interaction.
The SmsSecurity applications also install the TeamViewer QuickSupport app, enabling attackers to remotely take control of the infected device.
The malware is designed to work on devices set to languages such as English, German, Italian and French. The fake apps target banks in several European countries, including Austria, Hungary, Germany, Switzerland and Romania. It’s worth noting that many of the targets are cantonal banks, Swiss government-owned commercial banks.
“The relatively wide geographical distribution of these targets would explain the multilingual nature of its routines, as the targeted customers may be fluent in various languages,” Trend Micro researchers explained in a blog post.
“These new SmsSecurity variants represent an evolution in the capabilities of SmsSecurity. The use of Android’s accessibility features to implement malicious routines is a novel way to carry out automated activity that may well be imitated by other mobile malware families in the future,” they added.
Related Reading: Gugi Banking Trojan Can Bypass Android 6 Protection
Related Reading: Android Trojan Prevents Security Apps From Launching
Related Reading: Tordow Android Trojan Gets Root Privileges for New Attacks