BankBot uses the seemingly genuine application to mask its actual purpose. By giving the victim an app that works, the user may be less wary of its immoral nature.
A notorious banking Trojan was downloaded more than 1 000 times before it was removed. The software can mirror legitimate applications. When it does this it is able to steal passwords. The Trojan was discovered on Google’s official marketplace and it was posing as a cryptocurrency service.
Earlier this year, security experts are warned Android users to brace for a spike in hacking attacks. This followed the discovery of a source code and a piece of malware specifically designed to steal banking credentials. This week the software was lurking in the Play Store posing as “Cryptocurrencies Market Prices”.
It was here that the Trojan received 1000 downloads. The malware was first detected on 18 October by security firm RiskIQ who called it BankBot. The malware was gone just seven days later. BankBot malware, which has beset Android devices for months, uses an overlay technique.
It does this in an attempt to fool unwary victims into entering their details into an app they believe is genuine. In a statement, RiskIQ said on Thursday that BankBot was distributed using social engineering. A user physically downloads and installs the fully serviceable app on their Android device to compare cryptocurrency market prices with other currency values.
According to RiskIQ, once installed, the user is offered an app that can perform cryptocurrency exchange monitoring. However, BankBot uses the seemingly genuine application to mask its actual purpose. By giving the victim an app that works, the user may be less wary of its immoral nature.
Once downloaded, the malware sits quietly on a device and looks out for any of the financial apps it can pose as.
When one of the desired financial applications is launched by a user, BankBot will overlay a screen which looks identical to the legal service. It will the scoop up any passwords entered. Experts said that in this case, the Trojan would ask for a number of suspicious permissions during the installation process. Some of these included the ability to read text messages and access the internet.
If hackers can read a victim’s texts they could also intercept two-factor authentication codes according to RiskIQ.
This variant of the Trojan appeared to be targeting users of Polish banks. It is still unclear if the hackers, who are currently still unknown, were successful in their acquisition any funds. Risk IQ warned that the discovery of the BankBot serves as a reminder of the sophistication of malicious mobile apps. The group also urged users to be vigilant before downloading apps even from trusted stores.
BankBot, which is primarily designed to target Android smartphones, had its SC leaked online in January and it has since developed into a major cybercrime threat. Experts previously warned that some variants may be able to mimic “hundreds” of real services.