BankBot Returns On Play Store – A Never Ending Android Malware Story

Active on Google Play Store as recently as last Friday, a mobile banking trojan infected thousands of users who thought they downloading games or innocent-looking apps, according to research published by a trio of cybersecurity firms.

The malware, known as BankBot, was concealed inside various flashlight and Solitaire apps, and was first detected by researchers on October 13th. After downloading an infected app, the trojan would activate and wait for users to log in to pre-selected banking apps, including those of Wells Fargo, Chase, CitiBank, and DiBa (ING). In some cases, bank transaction authentication numbers (TANs)—a form of multi-factor authentication employed by some banks—were intercepted in text messages.

Even after so many efforts by Google for making its Play Store away from malware, shady apps somehow managed to fool its anti-malware protections and infect people with malicious software.

A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot, a persistent family of banking Trojan that imitates real banking applications in efforts to steal users' login details.

BankBot has been designed to display fake overlays on legitimate bank apps from major banks around the world, including Citibank, WellsFargo, Chase, and DiBa, to steal sensitive information, including logins and credit card details.

With its primary purpose of displaying fake overlays, BankBot has the ability to perform a broad range of tasks, such as sending and intercepting SMS messages, making calls, tracking infected devices, and stealing contacts.
Google removed at least four previous versions of this banking trojan from its official Android app store platform earlier this year, but BankBot apps always made their ways to Play Store, targeting victims from major banks around the world.

The second campaign spotted by researchers not only spreads the same BankBot trojan as the first campaign but also Mazar and Red Alert. This campaign has been described in detail on ESET blog.

The Android apps containing the malware were disguised to mislead users into believing it was a Google Play or system update requesting administrative privileges.

From there, BankBot quietly waited for users to log in to one of the aforementioned banking apps. Once the banking credentials were entered, they were immediately shared with the criminals who launched the malware campaign.

Certain banking apps send users security codes via text messages, which they have to enter into the app before accessing their accounts; however, this BankBot variant included a function that allowed it to intercept the texts and forward the codes to the attackers as well.

According to Avast, in addition to the US, BankBot struck users in Australia, Germany, the Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, the Dominican Republic, Singapore, and the Philippines.

“The malware is not active in the Ukraine, Belarus and Russia,” Avast’s researchers wrote. “This is most likely to protect the cyber criminals from receiving unwanted attention from law enforcement authorities in these countries.”

There are several steps users can take in the future to avoid having their bank accounts emptied, chiefly among them: Make sure your phone only allows downloads from trusted sources. At least then you can vet untrusted apps on a case-by-case basis. (Check under “security” in your phone’s settings.)