Authored by Fernando Ruiz<\/p>\n
McAfee Mobile Malware Research Team has identified\u00a0malware\u00a0targeting Mexico. It\u00a0poses\u00a0as a security banking tool\u00a0or as a bank application designed to report an out-of-service ATM.\u00a0In both instances, the malware relies on the sense of urgency created by\u00a0tools designed to prevent fraud to encourage targets to use them.\u00a0This malware can steal\u00a0authentication factors\u00a0crucial to accessing accounts\u00a0from their victims on the targeted financial institutions\u00a0in Mexico.<\/span>\u00a0<\/span><\/p>\n McAfee Mobile Security is\u00a0identifying\u00a0this threat as\u00a0Android\/Banker.BT\u00a0along with\u00a0its\u00a0variants.<\/span>\u00a0<\/span><\/p>\n The malware is distributed by a malicious phishing page that provides\u00a0actual banking security tips (copied from the original bank site)\u00a0and\u00a0recommends downloading\u00a0the malicious\u00a0apps as a security tool or as\u00a0an app to report\u00a0out-of-service ATM. It\u2019s very likely that a smishing campaign is associated with this threat as part of the distribution method or it\u2019s also possible that victims may be contacted directly by\u00a0scam\u00a0phone calls made by the criminals, a common occurrence in Latin America.\u00a0Fortunately,\u00a0this threat has not been identified on Google Play\u00a0yet.<\/span>\u00a0<\/span><\/p>\n During the pandemic,\u00a0banks adopted\u00a0new ways to interact with their clients.\u00a0These rapid changes meant customers were\u00a0more willing to accept new procedures and to install new apps as part of the \u2018new normal\u2019 to interact remotely. Seeing\u00a0this,\u00a0cyber-criminals\u00a0introduced\u00a0new scams and phishing attacks that\u00a0looked\u00a0more credible than\u00a0those\u00a0in the\u00a0past\u00a0leaving customers more susceptible.<\/span>\u00a0<\/span><\/p>\n Fortunately,\u00a0McAfee Mobile Security\u00a0is able to\u00a0detect this new\u00a0threat as Android\/Banker.BT. To protect yourself\u00a0from this and similar threats:<\/span><\/b>\u00a0<\/span><\/p>\n Interested in the details? Here\u2019s a deep dive on this malware<\/span>\u00a0<\/span><\/p>\n Once the malicious app is installed and started, the first activity shows a message in Spanish that explains the fake purpose of the app:<\/span>\u00a0<\/span><\/p>\n – Fake Tool to report fraudulent movements that creates a sense of urgency:<\/span>\u00a0<\/span><\/p>\n \u201cThe \u2018bank name has created a tool to allow you to block any suspicious movement. All operations listed on the app are still pending. If you fail to block the unrecognized movements in less than 24 hours, then they will charge your account automatically.<\/span>\u00a0<\/span><\/p>\n At the end of the blocking\u00a0process,\u00a0you will receive an SMS message with the details of the blocked operations.\u201d<\/span>\u00a0<\/span><\/p>\n – In the case of the Fake ATM failure tool to request a new credit card under the pandemic context, there is a similar text that lures users into a false sense of security:<\/span>\u00a0<\/span><\/p>\n \u201cAs a Covid-19 sanitary measure, this new option has been created. You will receive an ID via SMS for your report and then you can request your new card at any branch or receive it at your registered home address for free. Alert! We will never request your sensitive data such as NIP or CVV.\u201dThis gives credibility to the app since it\u2019s saying it will not ask for some sensitive data; however, it will ask for web banking credentials.<\/span>\u00a0<\/span><\/p>\n If the victims tap on \u201cIngresar\u201d (\u201caccess\u201d) then the banking trojan asks for SMS permissions and launch activity to enter the user id or account number and then the password. In the background, the password or \u2018clave\u2019 is transmitted to the criminal\u2019s server without verifying if the provided credentials are valid or being redirected to the original bank site as many others banking trojan does.<\/span>\u00a0<\/span><\/p>\n Finally,<\/span> a fixed fake list of transactions is displayed so the user can take the action of blocking them as part of the scam however at this point the crooks already have the victim\u2019s login data and access to their device SMS messages so they are capable to steal the second authentication factor.<\/span><\/span>\u00a0<\/span><\/p>\n In case of the fake tool app to request a new\u00a0<\/span>card,<\/span>\u00a0the app shows a message that says at the end \u201cWe have created this Covid-19 sanitary measure and we invite you to visit our anti-fraud tips where you will learn how to protect your account\u201d.\u00a0<\/span><\/span>\u00a0<\/span><\/p>\n In the background the malware contacts the\u00a0<\/span>command-and-control<\/span>\u00a0server that is hosted in the same domain used for distribution and it sends the user credentials and all users\u00a0<\/span>SMS<\/span> messages over HTTPS as query parameters (as part of the URL) which can lead to the sensitive data to be stored in web server logs and not only the final attacker destination.\u00a0<\/span>Usually,<\/span> malware of this type has\u00a0<\/span>poor<\/span> handling of the stolen data, therefore, it\u2019s not surprising if this information is leaked or compromised by\u00a0<\/span>other<\/span>\u00a0criminal groups which makes this type of\u00a0<\/span>threat<\/span> even riskier for the victims.<\/span>\u00a0<\/span>Actually,<\/span>\u00a0in figure 8 there is a partial screenshot of an exposed page that contains\u00a0<\/span>the structure to display the stolen data.<\/span><\/span>\u00a0<\/span><\/p>\n Table Headers: Date, From, Body Message, User, Password, Id:<\/span><\/span>\u00a0<\/span><\/p>\n This mobile banker is interesting due it\u2019s a scam developed from scratch that is not linked to well-known and more powerful banking trojan frameworks that are commercialized in the black market between cyber-criminals. This is clearly a local development that may evolve in the future in a more serious threat since the decompiled code shows accessibility services class is present but not implemented which leads to thinking that the malware authors are trying to emulate the malicious behavior of more mature malware families. From the self-evasion perspective, the malware does not offer any technique to avoid analysis, detection, or decompiling that is signal it\u2019s in an early stage of development.<\/span>\u00a0<\/span><\/p>\n SHA256:<\/span>\u00a0<\/span><\/p>\n Authored by Fernando Ruiz McAfee Mobile Malware Research Team has identified\u00a0malware\u00a0targeting Mexico. It\u00a0poses\u00a0as a security banking tool\u00a0or as a bank…<\/p>\n","protected":false},"author":695,"featured_media":128899,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[7789],"coauthors":[4136],"class_list":["post-128869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-android-malware"],"acf":[],"yoast_head":"\nHow does this malware spread?<\/span>\u00a0<\/span><\/h2>\n
Here\u2019s how to protect yourself<\/span>\u00a0<\/span><\/h2>\n
\n
Behavior:\u00a0Carefully guiding the victim to provide their credentials<\/span>\u00a0<\/span><\/h2>\n
IoC<\/span>\u00a0<\/span><\/h4>\n
\n
Domains:<\/span>\u00a0<\/span><\/h2>\n
\n