March 9, 2020
By David Bisson 2 min read

Security researchers observed attackers using unofficial webpages in an attempt to target Russian financial institutions with the Geost banking Trojan.

By reverse engineering a sample of Geost, Trend Micro learned that digital attackers primarily relied on unofficial webpages with randomly generated server hostnames to distribute the banking Trojan. As such, the malware specifically targeted Android users without access to the Google Play store and those inclined to search for programs not available on Google’s official Android marketplace.

One sample discovered by Trend Micro arrived in an application with the name “установка,” which is Russian for “setting.” The app used the Google Play logo to trick users into downloading it from an obscure web server. Unsurprisingly, this program hid its logo upon successful installation. It then demanded that its victims grant it important administrator privileges, including the ability to access SMS messages for the purpose of receiving confirmation text messages from Russian banking services.

Other Malware Threats Confronting Russian Banks

Geost first attracted the security community’s attention in October 2019. At that time, Virus Bulletin published a research paper detailing the activities of the Trojan. This briefing revealed that the malware had infected 800,000 victims at the time of discovery.

It’s important to note that Geost isn’t the first banking Trojan that’s targeted Russian financial institutions. Back in June 2019, for instance, Kaspersky Lab discovered that new variants of the Riltok Trojan family had expanded beyond their normal scope of Russian banks to include organizations in France, Italy and the United Kingdom.

How to Defend Against the Geost Banking Trojan

Security professionals can help their organizations defend against the Geost banking Trojan and similar threats by preventing employees from downloading apps from unofficial marketplaces onto their work devices. Infosec personnel should also invest in a unified endpoint management (UEM) solution for the purpose of automatically uninstalling infected mobile apps upon detection.

 |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...

More from

News   March 27, 2023

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

Risk Management   March 27, 2023

The Role of Human Resources in Cybersecurity

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something…

Risk Management   March 24, 2023

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Threat Research   March 23, 2023

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature