Android users in Russia who conduct online banking from their smartphones have been targeted with a piece of malware designed to steal sensitive information and allow malicious actors to make fraudulent transactions.
The threat, dubbed ZBot by Russian antivirus firm Doctor Web, possibly because it’s designed for the same purpose as the notorious Zbot (Zeus) Trojan, has been targeting Russian users since February 2015.
The first variant of the malware is detected by Dr. Web as Android.ZBot.1.origin. Newer versions, detected as Android.ZBot.2.origin and Android.ZBot.3.origin, have the same features, but they have been obfuscated by developers in an effort to make them more difficult to detect.
The malware is disguised as legitimate Android apps, particularly the Google Play application, and is delivered via fraudulent or compromised websites. Once it’s installed on a device, the Trojan attempts to obtain administrator privileges and displays an error message instructing the victim to reboot the system.
If it fails to trick users into granting it admin privileges, ZBot displays a Google Play phishing page where victims are instructed to enter payment card data, including card number, cardholder name, expiration date and CVV. This phishing page is also displayed for a limited period of time even if the malware obtains admin privileges, Dr. Web said in a blog post.
If it manages to obtain admin privileges on the device, the malware is automatically launched when the phone is booted. Its operators can command ZBot to send SMS messages to specified numbers, make phone calls, send text messages to the victim’s contacts, intercept incoming SMSs, track location via GPS, and display phishing pages on top of specified applications. Researchers noted that some of the malicious features are implemented using external libraries that are stored inside the Trojan’s package.
The Trojan monitors the victim’s activity and when an application of interest is detected, a specially designed phishing page is displayed on top of it. The threat is designed to target the customers of numerous banks that operate in Russia. Since some banks allow users to conduct operations via SMS, the malware also attempts to directly steal money from bank accounts by sending special SMS commands from the infected Android phone.
As for the phishing pages, they are downloaded from a remote server and displayed using WebView, the Android component that allows apps to display web content. The malicious actors are trying to obtain usernames, passwords and other information they can use to conduct fraudulent transactions.
To make everything more legitimate-looking, the injected window is tied to the targeted application and if the victim taps the back button they are taken to the legitimate app screen.
Tens of thousands of devices have been infected with ZBot since February. Researchers have identified more than 20 command and control (C&C) servers and 15 of them are still active.
Dr. Web has found three sub-botnets, each consisting of hundreds or thousands of infected devices.
“The large number of the active Android.ZBot.1.origin subnets means that this Trojan is a commercial product and is distributed through underground hacker markets where it can be purchased by a single cybercriminal or by organized group of virus makers,” experts noted in a blog post. “It is also proved by the fact that the administration panel for the botnets that were created based on the devices infected by Android.ZBot.1.origin has a limited license and is used as a subscription service.”
Researchers believe cybercriminals could start using ZBot to target Android users in Europe and the United States as well.
Related Reading: Rootnik Trojan Modifies Legitimate Root Tool to Hack Android Devices