New Mobile Malware Uses Layered Obfuscation and Targets Russian Banks

Last year, we saw the Fanta SDK malware target Russian bank Sberbank users and employ unique defensive measures. Now, another bank malware family has appeared, targeting even more Russian banks while using new and evolved obfuscation techniques. This family is named FakeBank, and so far the related samples we have collected number in the thousands. These samples show that the malware targets not only Sberbank, but also other Russian banks like Letobank and the VTB24 bank. Our samples have random package names and pose mostly as SMS/MMS management software to lure users into downloading them. The table below shows the samples’ names:

App names English Translation of Russian Names
SMS_S SMS_S
SMS_MMS SMS_MMS
ММС – Пoсланиe ММС – Send
ММС – Сообщениe MMC– Message
Посланиe Messenger
Соoбщение Composition
Фoтo Photo
CМC – Фотo CМC – Photo
СMС – Соoбщение СMС – Composition
СMC – Послание СMC – Message

Table 1. Names of the banking malware samples

Actually, these advertised SMS management capabilities are turned against the victim. The malware intercepts SMS in a scheme to steal funds from infected users through their mobile banking systems.

The banking malware have spread mainly across Russia and other Russian-speaking nations. The table below shows a list of detections per country.

Figure 1. Top countries where samples were detected; there were detections in other countries but they totaled less than 1%

Figure 1. Top countries where samples were detected; there were detections in other countries but they totaled less than 1%

Intercepting SMS leads to transferring funds

The malicious app can control an infected user’s open and close network function and also silently connect to internet. This means that it can send information to its command and control server (C&C) without the user’s knowledge. It also inspects the device for anti-virus software, and if detected, will exit without executing any malicious behavior. This is a tactic that helps it remain unreported and under the radar.

The malware also steals information from the device and uploads it to the C&C server. The sensitive data collected includes: users’ phone numbers, a list of installed banking apps, the balance on any linked bank card, and even location information.

To read the original article:

http://blog.trendmicro.com/trendlabs-security-intelligence/new-mobile-malware-uses-layered-obfuscation-targets-russian-banks/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *