A Trojan targeting Android mobile devices. It is distributed in the guise of an official Sberbank Online mobile application. Although this program has been modified by cybercriminals, it operates like its original version. The malicious copy can be downloaded from various software catalogues and file-sharing resources. The main purpose of this program is to steal money from users' bank accounts.
The AndroidManifest.xml file of the modified version has been changed as follows:
<service android:name="ru.sberbankmobile.crb17s" /> <receiver android:name="ru.sberbankmobile.crb17r"> <intent-filter android:priority="1000"> <action android:name="android.intent.action.BOOT_COMPLETED" /> <action android:name="android.provider.Telephony.SMS_RECEIVED" /> </intent-filter> </receiver>
Once it is launched, Android.BankBot.65.origin generates an encrypted configuration file with the name crb17.hex containing the Trojan's settings. The file has the following parameters:
- interval—time interval between requests sent to the server,
- time, intervalUpdate, intervalSend—values that define the time when each connection session is established,
- timeSend, intervalSms, timeSms—values that define the time of sending an SMS message,
- nomera, texts—values for phone numbers and texts to be sent to several contacts,
- QIWI—package name of the corresponding application,
- urls—command and control server's address,
- indNUMBER, indTEXT—values to be used to send an SMS message to one contact,
- parser—list to be used to parse incoming messages for some specific text (if an SMS containing this text is found, it is forwarded to the server),
- putTEXT, putNUMBER—parameter for planting a specified SMS message into the list of incoming texts,
- delQUERY—parameter to be used to delete a specified SMS from the list.
Next, the Trojan generates a POST request containing the following information:
- Mobile network operator
- MAC address of the Bluetooth adapter
- Data on availability of QIWI Wallet
- API version of the device
- Trojan's version
- Trojan's package name
- Currently executed command
If Android.BankBot.65.origin receives the “hokkei” command from the remote host, it sends an encrypted list containing the user's contacts to the server and updates the configuration file upon cybercriminals' command.
Due to the fact that the Trojan can stealthily send and intercept SMS messages, cybercriminals can steal money from users' bank accounts. Moreover, Android.BankBot.65.origin can be used for implementation of other fraudulent schemes. For example, the malware can plant an SMS message with a specified text into the list of incoming texts.