New Mobile Malware Uses Layered Obfuscation and Targets Russian Banks

Haythem Elmir

Last year, we saw the Fanta SDK malware target Russian bank Sberbank users and employ unique defensive measures. Now, another bank malware family has appeared, targeting even more Russian banks while using new and evolved obfuscation techniques. This family is named FakeBank, and so far the related samples we have collected number in the thousands. These samples show that the malware targets not only Sberbank, but also other Russian banks like Letobank and the VTB24 bank. Our samples have random package names and pose mostly as SMS/MMS management software to lure users into downloading them. The table below shows the samples’ names:

App names English Translation of Russian Names
ММС – Пoсланиe ММС – Send
ММС – Сообщениe MMC– Message
Посланиe Messenger
Соoбщение Composition
Фoтo Photo
CМC – Фотo CМC – Photo
СMС – Соoбщение СMС – Composition
СMC – Послание СMC – Message

Table 1. Names of the banking malware samples

Actually, these advertised SMS management capabilities are turned against the victim. The malware intercepts SMS in a scheme to steal funds from infected users through their mobile banking systems.

The banking malware have spread mainly across Russia and other Russian-speaking nations. The table below shows a list of detections per country.

Figure 1. Top countries where samples were detected; there were detections in other countries but they totaled less than 1%

Figure 1. Top countries where samples were detected; there were detections in other countries but they totaled less than 1%

Intercepting SMS leads to transferring funds

The malicious app can control an infected user’s open and close network function and also silently connect to internet. This means that it can send information to its command and control server (C&C) without the user’s knowledge. It also inspects the device for anti-virus software, and if detected, will exit without executing any malicious behavior. This is a tactic that helps it remain unreported and under the radar.

The malware also steals information from the device and uploads it to the C&C server. The sensitive data collected includes: users’ phone numbers, a list of installed banking apps, the balance on any linked bank card, and even location information.

To read the original article:

Laisser un commentaire

Next Post


Microsoft said it is holding off delivering security updates to Windows PCs for Spectre and Meltdown CPU flaws until hosted anti-virus software confirms it does not make unsupported calls into Windows kernel memory. Affected are PCs running certain AV products that bypass Windows built-in Kernel Patch Protection. According to Microsoft, […]