Banking Trojan found on Google Play stole 10,000 Euros from victims

Haythem Elmir

Recently was discovered Android banking Trojan available on Google Play with more than 10,000 installs. This infiltration was capable of luring user’s banking credentials and send them to the attacker. Trojan was also capable of bypassing SMS two factor authentication. Based on analysis, app targeted German, Polish and Czech banks. Based on Česká spořitelna two clients were affected with all together loss 280,000 KČ which is more than 10,900 Euro.


Trojan application impersonated QRecorder – app to record phone calls.

Figure 1. QRecorder app from Googel Play

Once launched, it would request user to allow it to draw over other apps as necessary functionality for app to work properly. However, this functionality helps the malware to control what is displayed to the user.

Figure 2. Requesting permission to draw over other apps

Afterwords, app worked as it should, except for one thing – waited for commands from the attacker.

Based on my analysis these commands are received within 24 hours.

Attacker used Firebase messages to communicate with compromised devices. He will “ask” the device whether some of targeted banking apps are installed or not. If so, it would send the link to encrypted payload using AES with decryption key to download. Before downloading payload it would request user to activate Accessibility service and using this permission it would automatically download, install and open malicious payload. Once payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.

Here is example of this threat installing itself on behalf of the user. This video is authentic and not cut, feel free to rewind to 1:09.

Based on language mutations used in the app and payload, I can say the main targets are German, Polish and Czech banks. For different banking apps are created different payloads targeting particular apps. However, I could not obtain decryption key and identify all targets.

Figure 3. Prepared messages to activate accessibility services in three languages

List of targeted apps and package names.



To read the original article;

Laisser un commentaire

Next Post

Hide and Seek Botnet Adds Infection Vector for Android Devices

Since its discovery early this year, the Hide and Seek IoT botnet has been increasing its infection capabilities with new vectors. The latest samples look for Android devices with the wireless debugging feature enabled. While IoT botnets appear and go away on a daily basis, Hide and Seek first attracted attention […]