Researchers have discovered a new Android malware strain that can pose as more than 2,200 banks including Barclays Banks and Santander. The malware poses as a bank so that it can steal users passwords and steal from their accounts.
The malware is dubbed the Catelites Bot by the researchers and they believe it was created by a recently caught, Russian gang. The gang is believed to be the one responsible for the CronBot Trojan which was used to steal $900,000 from victims.
Experts wrote in a blog post, that the two malware shared some similarities, and they believed the hackers were just getting started with their nefarious activities. Avast mobile threat researcher, Nikolaos Chrysaidos, wrote that Catelites Bot had discovered a complicated way they could target more than 2,200 banks and use fake mobile banking app interfaces. He said that the malware was able to take Android banking applications logos and names from Google Play Store without any requests. The display of the banks that the malware puts do not entirely resemble those of the banking apps. However, the malware has a shotgun approach, meaning the greater the number of banks affected, the higher the chance of some people falling for the trick.
Researchers said that the Catelites Bot was usually spread through third-party app stores. Fake app stores have rampant with malware of late, with at least two or more affecting Android devices every week in the past few months. The malware asks for administrators permission, and when granted starts releasing some tactics. Chrysaidos said that the malware was confined to Russia now. He believes the malware is at an early testing stage, and based on results, the cyber thieves will release it to the world. Analysis of the command and control server showed that at least 9,000 people had been affected.
Chrysaidos added that they didn’t have proof that the Catelites Bot actors were also linked to the CronBot. It might be that a different set of people got hold of the CronBot and made adjustments to it. He also added that since the malware is only on third-party apps it was advisable for Android users to only accept downloads from the official Play Store. On top of that, they should check with their banks for any change in their bank’s applications interfaces.
This is not the first time overlay screen attacks have been used. The so-called cloak and dagger attacks have popped up in the past with the BankBot and FalseGuide Trojans which were also known to mirror official apps.