The page may not load correctly.
|Added to Dr.Web virus database:||2018-04-05|
|Virus description was added:||2018-04-05|
A banking Trojan for Android mobile devices. It is designed to steal money from Sberbank’s Russian-speaking clients. It is distributed via fraudulent text messages that invite the potential victims to follow the link and supposedly become familiar with the reply to the posted ad or with the information on a loan or a money transfer. Android.BankBot.358.origin is installed on smartphones and tablets as programs of Avito, Visa, Western Union and other popular applications.
When launched, the Trojan attempts to get administrative privileges of the mobile device. For this purpose, it displays a dialog in an infinite loop and forces user to provide the required privileges. Then Android.BankBot.358.origin displays a fake message about an installation error and deletes its icon from the list of programs on the home screen, thus hiding its presence in the system.
If an owner of an infected smartphone or tablet tries to recall administrator privileges from the Trojan, Android.BankBot.358.origin prevents it by closing the settings window. Some Trojan modifications also install their own lock screen PIN codes.
Control of the infected devices is implemented via HTTP and GCM (Google Cloud Messaging). It is performed in the administration panel.
After a successful infection, Android.BankBot.358.origin sends to the command and control server a request register that contains the following information about a device:
json.put("sid", this.api_panel_id); json.put("imei", this.getIMEI()); json.put("country", this.getCountry()); json.put("operator", this.getOperator()); json.put("phone", this.getPhone()); json.put("model", this.getModel()); json.put("version", this.getVersion()); json.put("application", this.context.getResources().getString(2131165185)); json.put("build", this.app_build); json.put("process_list", process_list); json.put("apps_list", apps_list); json.put("method", "register");
The Trojan can execute the following commands:
Depending on the response received from the server, the Trojan makes one of the following requests:
Each request is first encoded with Base64, then it is encrypted with the AES key and converted using the bytes to hex method. The obtained string is sent to the command and control server, which responds the same way with a string with the command. Additionally, the end path for connection with the server is generated randomly or the DynamicSubDomain method is used.
The data obtained by the Trojan and also device information are encrypted and stored in the local SQLite database. It has the following structure:
The main goal of Android.BankBot.358.origin is stealing money from the Sberbank’s clients. Cybercriminals send the Trojan a command to block an infected device with a phishing window. It imitates the appearance of Sberbank Online, the remote banking and payment system, and is displayed to all users no matter whether they are Sberbank or another financial organization’s clients. The user is offered to receive a money transfer the sum of which cybercriminals set via the administration panel. To receive the money, the user is invited to provide bank card information: its number, holder’s name, expiration date, and the CVV code. The fraudulent message cannot be closed, so a potential victim is actually forced to provide cybercriminals with the secret information.
If a user uses the Mobile banking service, Android.BankBot.358.origin tries to use it to steal money from the victim’s account. The Trojan sends SMS messages with commands to perform operations in the online banking system. It checks the current balance of the Android device owner’s card and automatically transfers money to the cybercriminals’ bank account, or to their mobile account.
Some versions of Android.BankBot.358.origin can block an infected device with a ransom message demanding that the victim pay a fine for watching prohibited videos. In order to hide their malicious activity, various Trojan’s modifications can also block the screen with a notification that some system update was installed.News about the Trojan