The page may not load correctly.
|Added to Dr.Web virus database:||2018-12-07|
|Virus description was added:||2018-12-10|
A Banking Trojan for Android mobile devices. Its main goal is to steal confidential data. Android.BankBot.495.origin was first detected on Google Play and attacked Brazilian users. The Trojan was distributed under the guise of applications intended for spying on the owners of mobile devices.
When launched, Android.BankBot.495.origin opens system settings and prompts the user to permit it to access the Accessibility option. If a potential victim agrees to do it, the Trojan may read the contents of the active application windows and tap buttons independently of the user.
Having obtained the permissions, Android.BankBot.495.origin launches MainService and automatically closes the accessibility settings window.
Then the malware tries to obtain the privileges needed to show overlay windows and forms. For that, it requests the following permission in the system:
If the system language on the mobile device is Portuguese, the Trojan automatically taps the “PERMITIR” buttons and obtains the necessary privileges by itself.
The MainService starts the Main2Activity, which loads the address http://brazilian*****.ddns.net/renew in an invisible WebView window. Next, the website executes a chain of redirections:
The key 1.php?cg= signals the Trojan that the link contains the settings it needs, i.e. the addresses of the main command and control servers encoded in Base64. The ] symbol is the closing key for the encoded data. After decryption, the addresses of the remote hosts are as follows:
The first IP address belongs to a server with fraudulent web pages that the Trojan will use for phishing attacks. The second address belongs to the command and control server of the Trojan.
After successfully accepting the settings and receiving the ?finishurl key in the last link, the Trojan terminates the Main2Activity.
When launched, MainService starts two permanently active threads, ProcessualThread and AppStartWatchThread. ProcessualThread sends queries to the command and control server at http://52.12.**.***/mobileConfig.php every 6 seconds and executes the commands it sends back. The process is as follows.
If the server response contains the string “chkSMS”, the Trojan launches the default SMS application. Using the accessibility features, Android.BankBot.495.origin, reads and saves the messages stored in this application.
Data collected by the Trojan is sent to the server in the thread AppStartWatchThread, which constantly monitors the changes in the class variables. Android.BankBot.495.origin also recognizes the messages from CaixaBank S.A. and sends them to the server in a separate request.
Android.BankBot.495.origin uses the accessibility features to track the activities of the following apps:
When one of them is launched, the Trojan displays an overlay WebView window with a phishing webpage, received from the command and control server 34.222.**.**. The page imitates the compromised software and requests that the user fills in confidential information: logins, passwords, account names, bank card details, etc. After entering and sending the data, the fraudulent page redirects to a link with the string “finishurlkk”. Android.BankBot.495.origin then closes the WebView window and re-launches the app, so as not to arouse suspicion if the target application was closed or collapsed.
Fraudulent input forms the Trojan can display:
|Attacked application||Link to the phishing page||View of the fraudulent window|
|Itaucard Controle seu cartão||34.222.**.**/itcard/load.php?hwid=********3X37a********681bf&content=d|
|Banco do Brasil||34.222.**.**/biu/load.php?hwid=********3X37a********681bf|
Android.BankBot.495.origin has a self-defense mechanism. The Trojan controls the startup of applications and searches the package names for a match in the following lines:
If a match is found, it taps the “Back” button 4 times in an attempt to close the program.