MoqHao Banking Trojan Targets South Korean Android Users

A recently spotted Android banking Trojan targeting South Korean users via SMS phishing messages (smishing) was linked to an infection campaign from two years ago, McAfee security researchers reveal.

The mobile phishing messages attempt to lure users into executing malware by claiming to link to a leaked private picture, or by posing as a Chrome update. Once the user clicks on the shortened link in the message, however, the banking Trojan dubbed MoqHao is installed.

Once a device has been compromised, the malware can send phishing SMS messages to the user’s contacts; can leak sensitive information, including received SMS messages; can install Android apps provided by the command and control (C&C) server; can execute remote commands and return results, and can gather sensitive information via a local Google phishing website, McAfee discovered.

During installation, the malware requests various permissions that allow it to perform its nefarious operations, such as call phone numbers, acccess contacts, and read text messages. Next, the threat requests admin privileges to achieve persistence, and displays the request window continuously, even if the user dismisses it.

MoqHao then dynamically registers a broadcast receiver for system events such as new package install, screen state, SMS messages, and more, which allows it to spy on the user activities and send device status information to the C&C. The malware also connects to the first-stage remote server and dynamically receives the IP for the second-stage server from the user profile page of Chinese search engine Baidu.

After connecting to this server, the malware sends a message containing device information such as: UUID, IMEI, Android version, device product name, build ID string, root status, SIM status, phone number, and registered accounts. Other details are periodically sent to the server, including: network operator and type (LTE, GPRS), MAC address, battery level, Wi-Fi signal level, device admin rights, screen on/off, ringer mode, and whether current package is ignoring battery optimization or not.

The Trojan checks infected devices for major Korean bank apps and downloads relevant fake or Trojanized versions of these programs if it finds them. Next, it alerts the victim that an update is available for the targeted app. Once the victim approves the update, the malicious app replaces the legitimate one.

During analysis, however, the malware’s requests to download the malicious apps resulted in an error. According to McAfee, the functionality might not be implemented or not in use, given that infected users haven’t reported attempted installation of additional APK files.

The security researchers first observed Android/MoqHao in January, but that seemed more like a test version. Updated variants of the malware were observed in February and March, but the first non-test iteration emerged only in May.

The banking Trojan, the researchers say, appears connected to a May 2015 attack targeting users in South Korea via a phishing message in the default web browser. Although that message was very similar to those spreading Android/MoqHao and the two malware variants share some behavior and functionality, the threats have completely different code bases.

“The similarities between the 2015 and 2017 phishing campaigns suggests the same cybercriminals, who have shifted from DNS redirection attacks to a smishing campaign. The attackers are still targeting Chrome and getting the control server from a dynamic webpage while changing the code base of the initial dropper component as well as the dynamically loaded payload,” McAfee says.

Related: Android Malware Found on Google Play Abuses Accessibility Service

Related: SpyDealer Malware Steals Private Data From Popular Android Apps