Banking Trojan found in Google Play
Banking Trojans are not new to the cyber-crime world. It is a malicious computer program designed to gain access to confidential banking information. This type of malicious system program is built with a backdoor to allow third parties to gain access to the system.
As the security technologies especially in banking domain continue to improve, malware codes are being constantly evolved to evade detection. The financial cyber-crime landscape is hence, constantly changing and evolving to keep pace with the rising awareness and the increasing effectiveness of banking controls.
With the increasing popularity of mobile among people for carrying out any transaction, cyber-criminals have embraced mobile as their platform of choice to carry out fraudulent activities. Since 2015 there has been a tremendous increase in the design and launch of fake mobile apps to deceive users. The nature of fake application depends on the goals of cyber-criminals who use different strategies to build and deploy them.
Android Malware Stealing Banking Information
Recent research revealed that a Banking Trojan found in Google Play. A malicious app intending to automatically record voice and calls was found in the official Android store.
QRecorder app, a phone call recording utility is known to have stolen thousands of euros from two European individuals. 10,000 downloads of the app reveal the app popularity among the masses. The call recorder app worked as advertised in order to avoid any kind of suspicion.
The huge number of downloads reveal that the app worked properly initially. The malware is expected to have been added in the last update.
Razdel- A BankBot variant Responsible for the malice
The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating:
- Remote access Trojan functions,
- SMS interception,
- UI (User Interface) Overlay with masqueraded pages etc.
Once the app is installed on your mobile:
- It seeks permission to cover other applications on your phone with its interface.
- The Trojan is programmed to intercept the text messages.
These features are sufficient to embezzle users of their hard earned money. Intercepting text messages was leveraged to bypass two- factor authentication code that user received via SMS. Fake Screen overlay was used to put the banking credentials and other details straight in the hands of threat actors.
Moreover, within 24 hours of installation, the Banking Trojan found in Google Play develops a connection with the C&C (Command & Control) server. The successful installation of the fraud app is followed by a malicious script from the server that scans the device for specific German, Polish and Czech banking apps like:
- Raiffeisen Bank,
- ČSOB and Česká Spořitelna two of the largest banks in the Czech Republic
- Air Bank
- Bank Austria etc.
So, whenever the targeted banking app was launched, the malware covered it with a phishing screen to collect the username and password. The collected information was then sent to the malware authors.
While this malicious app has been removed from the official Android store, Google is constantly striving against cyber criminals attempting to use the official Android marketplace to distribute malware. Recently the official app store was criticised for housing apps that entangled users in a booby trap without their knowledge. These include :
How to protect against installing malicious apps?