New Android Banking Trojan Targets Spanish, Portuguese Speaking Users

April 21, 2020
|
co-authored by Limor Kessem
|
6 min read

IBM X-Force research recently analyzed a new Android banking Trojan that appears to be targeting users in countries that speak Spanish or Portuguese, namely Spain, Portugal, Brazil and other parts of Latin America. This Trojan, which was created atop an existing, simpler SMSstealer.BR, was supplemented with more elaborate overlay capabilities. That portion of the malware was coined “Banker.BR”.

At this time, the malware is being spread by messages that lead users to a malicious domain controlled by the attackers. Users are told that they need to download the most recent version of a supposed security app required for mobile banking. If they click to download the update, they unwittingly launch the download from a legitimate file sharing platform.

Since this app downloads from a third-party source, an action not authorized by default on Android devices, a note shown to the potential victim instructs them on how to enable side-loading through the device’s Settings menu.

Figure 1: New banking malware asks users to enable side-loading

In its current state, this malware can enable phishing via an overlay attack, thereby stealing users’ online banking credentials, it can allow the attacker to take over users’ bank accounts, and it can enable the theft of two-factor authentication (2FA) codes sent via SMS. These elements can help attackers complete fraudulent transactions from victims’ bank accounts.

A New Codebase

According to our analysis, Banker.BR’s code is entirely new and does not rely on previously leaked code or existing mobile malware. While our team has seen earlier versions of this Trojan, which only featured a basic SMS stealer, this blog focuses on the new, and more elaborate, feature of the overlay malware capability — a tactic common to most Android banking malware.

At first, this malware was only able to steal SMS messages, and attackers using it likely obtained user credentials from other sources, such as phishing attacks and underground credential vendors. As it evolved, it added the overlay attack feature to bring the phishing phase into the infected device as well.

While it has the same capabilities as other malware in this class, it lacks the ability to pull overlay images from its command-and-control (C&C) server in real time, calling on embedded screens in its own resources on the device, which is less agile than methods used by other malware.

While most apps are implemented in the Java/Kotlin programming languages, which are part of the Android studio development essentials platform, Banker.BR’s is programmed in the B4X programming language. B4X is a modern version of Visual Basic that’s part of a suite of rapid integrated development environments (IDEs) used in the creation of applications for Android and iOS operating systems. It is not often used in the creation of malware apps.

Lack of Anti-Research Features

We noticed some features that are not presently a part of this malware’s overall deployment:

  • The malware is not packed or obfuscated, making it easier to reverse-engineer, although the use of a niche IDE does create overhead code that can be more challenging to reverse.
  • Unlike similar malware, before installing on the device, this new Trojan does not verify whether it is being run in a virtualized environment or check if it is being debugged. In that sense, it lacks anti-research features, which makes it easier to analyze.
  • We have not been able to find any proxy capabilities or any call manipulation features.

Establishing Persistence

Persistence on the device is established by using a receiver with a broadcast. The receiver is an Android component that allows apps to register for notifications about system and app events. In this case, the malware app registers to be notified about the ACTION_BOOT_COMPLETED system event, which is sent out once the system completes a new boot process.

When the notification arrives, the malware runs itself without the user’s intervention.

Malicious Permission Granting

Banker.BR abuses the Accessibility service to grant itself the permissions it requires without asking the user and without the victim’s knowledge. This is achieved by programmatically clicking the “Allow” button on system screens that request the user to allow or deny runtime permissions.

The malware does this faster than a human can, thus not giving users a chance to react or to deny the malware from receiving the permissions it asks for. Banker.BR can further grant itself additional permissions once it has allowed the initial ones.

Figure 2: Auto approval of permissions

The permissions sought by this malware include:

  • Read phone state
  • Camera access
  • Read contacts
  • Read and receive SMS
  • Write to external storage

Figure 3: Banker.BR permission list

Exfiltrating Device Information and SMS Content

After installation, the malware collects some device information and sends it to the attacker’s C&C, which is a domain address hardcoded into the malware. This information includes the following:

  • Phone number
  • International Mobile Equipment Identity (IMEI)
  • International Mobile Subscriber Identity (IMSI)
  • SIM Serial Number (SSN)
  • Unique Bot ID randomized by the malware for each device

When active, the malware can also steal and exfiltrate SMS messages, which allows it to grab 2FA codes sent to the user by their bank or other service providers. The malware registers a receiver to handle newly received SMS (SMS_RECEIVED) on runtime, and not in Manifest, which enables the malware to keep this function invisible to the user.

Figure 4: Banker.BR SMS control

Active in the Background and Taking Action on Trigger

Banker.BR remains silently active in the background of a device, monitoring the applications the user opens as it awaits a target app to be launched.

Abusing the Accessibility service on the device, a relatively common way for Android malware apps to keep tabs on which app is running in the foreground, it waits for a match with the goal of launching overlay screens at the right time and context to fool the user into tapping their credentials into the overlay.

 

Figure 5: Malware awaits targeted apps to be launched

This is achieved by listening for onaccessibilityevent and event type TYPE_WINDOW_STATE_CHANGED, which would mean that the user’s interface had changed.

Next, the malware calls the function _acs_onactivitynameretrieved, which will verify if the activity’s name matches one of its targets. If a match is detected, the malware will call on the corresponding overlay screen to match that bank app’s look and feel.

Figure 6: Banker.BR targeted apps with bank names blurred (Source: IBM X-Force)

The overlay screen would typically feature the bank’s logo and ask for the user’s sign-in credentials.

Unlike other malware in this class, the overlay screens are embedded into the malware and not retrieved from the attacker’s C&C server in real time. This is a less agile method that does not allow for on-the-fly updates to fake screens but rather requires a malware update to deliver changes. It also exposes all the available screens to outsiders analyzing the malware.

Figure 7: Sample overlay screen requiring the user to enter their account sign-in credentials

Targets

At this time, the targets we have observed for this new malware are focused on banks in Brazil. In some cases, major banks targeted by this app also operate in other parts of the world, namely Spain, Portugal and across Latin America, which could be indicative of the attackers’ current location or origins.

Malware of this type is extremely simple to redirect to other regions by changing the target list and embedded screens, thereby modifying its attack turf and potential targets. It can target banks but can also be used to target the user credentials of any other app on the device or for stealing payment card data under the guise of a Google Play store request.

Continued Development

IBM X-Force researchers note that Banker.BR is seeing continued development with new screens being added for additional targeted banks and expected code enhancements in the coming months.

To keep up to date on further analysis and emerging threat intelligence, read our Security Intelligence blogs and join us on X-Force Exchange.

Indicators of Compromise (IoCs)

SHA-256 of earlier versions — SMS stealer only

39a197185f7fa277108c2f240dda7ebbe174f8740ba78d8f88f1eb448b60159e
fae34dd516a00dc0c2c2cc8e5a026648f3a60db66cc3c480ff605daf04e25d1c
165394fecd7dcfa01a3c5d60489fe51c87aa7743f3775cd9c075988142fa0dd6
710ef119c573857e4607da5a36ddb9846db43b2ba44b257ebaf98d21ef40f7f6
0f1077ea1b0b39f7cbd3f00edac251c2f10cae578e37818184cc00b3853d1b49
b55bb0515d55c85afdc0da5afdf9dd9ff57b4b7c6ddfdda41d761d5d256118e7
cbc72184561f3b98c80a3901c6bcbcd648266fcb5724329db2a01569c0e46057
48a4210c09dd8539d386d80139fd38170cad06b0bbe47ee413b185f1410fe41f
58bd88693864b0375032d3507fe359e79d1ee179e51c5a7d1b2b8e17c8102a17
120f82c45c694fa7c22f1f2ed6ab0b08b8471d8f6d427af3282972a1a51744bd

SHA-256 of later versions — complete overlay malware

1e230466d1a01b1ff39494391d2d8abbd4cd0762cbfedc9576cfe576bc4cc347
634059e38477771fd8409ef2188a211a2f0d9a730fe1e50c0010c5785a2b2e3e
74a757389b24bcc100cc0407f1363301e63e54e93f53c5a52106db15fbd10316
001230e571bd73dfdc04d1f32f6b3e21cebb9eafea262edf1741c006c0fd5c61
9b18b0941932f68edfad08235226412a762965b651373ff3744514577bef2767
918a523725821000e0b882769a22d5c0f6d37cca1f5d437840e7372252a6b75e
95c25547034a532f8cada4220213e190d479d12d481ece3b160ee086cb9d26f1
d333fda60b5f62c61be6214e64fe79ee78c66bdd1f995736aeeb33cddc7494ea
C7e3cc7e5fc9a82f02939769b986f5c9ae3ed1b3a88fa24c2c26c7b1d042fb60

Ben Wagner
Mobile Security Researcher, IBM Security
Ben Wagner is a contributor for SecurityIntelligence.
Think On Demand banner
Think banner ad
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00