Video analysis of Android banking Trojan found on Google Play

Android threat that steals victim login
credentials for mobile banking applications was recently found on Google Play.
App “Easy Rates Converter” was
available on the Store for six days and downloaded over 500 times before it was
removed.

This Trojan lures victims into inserting their
login credentials for social media, mobile banking and cryptocurrency apps.
List of targeted apps is requested after start from the attacker server, based
on installed apps on infected device. This list and code responsible for
impersonating legitimate applications are received from the attacker’s server
and then stored in database.

Figure 1. Banking Trojan impersonates Easy Rates Convertor

Functionality

After launch, Trojan drops malicious component from assets that downloads additional malicious payload from the attacker’s server. In this particular case, it downloads banking Trojan family – Red Alert 2. Downloaded payload is responsible for malicious functionality. Attacker can theoretically exchange link to downloaded different malicious app.

Figure 2. Execution model of the Trojan

After authorization, server sends more than one link to malicious applications. These apps and links are probably generated on the server.

Figure 3. Network communication of component

Once app is downloaded, it demands user to manually install it. If user cancels the installation, it will not help, because this request is displayed until victim is annoyed enough to install it. The same applies to Activate device administrator for it.

Installed Update Flash Player sends names of installed apps to the attacker’s
server. Scripts on the server evaluates these apps and send back which apps
should be targeted, including HTML code responsible for fake activity displayed
to the victim. These information are stored in database, so after infection I
could identify targeted apps. These aimed applications could be dynamically
updated based on apps installed afterwards.

Figure 4. Database contains list of targeted apps

Banking Trojan sets triggers and waits in the background until one of the targeted apps is launched. Once app is executed (from templateName column), malware uses over the screen phishing to display its own malicious activity to trick the victim into entering his credentials. Credentials are then sent to the attacker server. This banker is also capable of bypassing SMS two factor authentication (2FA).

Activities in foreground (Update Flash Player) belongs to the
malware and overlays targeted activities in the background.

Figure 5. Overlaying legitimate apps by malware viewed in recent apps menu

Video demonstration

Video analysis of this threat contains:

1) How potential victim can get infected

2) How it steals users credentials for
banking apps

3) Code analysis

4) How to remove it

How to remove it

At first, victim needs to deactivate device administrator rights for it by going to Settings-> Security -> Device administrators -> Secured protection-> Deactivate and then uninstall from Settings-> Apps/Application manager -> Update Flash Player -> Uninstall

FYI these apps use different names in both of these settings.

Acknowledgment

Similar
dropper was recently discovered by ThreatFabric ^(https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html)
but with different malicious payload – Anubis.

References

Analysis of Red
Alert 2.0
^(https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html)

IoC

If you would like to replicate this analysis, you can download this APK sample from Koodous project for free here: Easy Rates Converter ^(https://koodous.com/apks/ef603cef71f68f0bd132c7c69975cce1c4872b2e7d353c9bc232bd71cddeb702)

FileHash
com.hieulaixe.android.apps.apk3F51CE5E968F34F50958F50A44468D28
loader-packed(4-2-1).dexE288216A6BD6184E55B720C7D3CD959A
UpdateFlashPlayer_i80hxoyg6jdp2m6xcqa6c3uqjfdup8gd1izf7wxx_protected_213314.apkEEC38F8B8FB9C3475EA386D3AF47471D
qsjbdgzslixEC52DD905CA35555CB8043CE0773C136
URL
ffpanel.ru
188.68.210.33
178.132.78.51
my-apps-1026f.firebaseio.com

If you would like to stay up-to-date with the latest Android threats, follow me on Twitter and subscribe to my YouTube channel.

The post Video analysis of Android banking Trojan found on Google Play ^(https://lukasstefanko.com/2018/11/video-analysis-of-android-banking-trojan-found-on-google-play.html) appeared first on Lukas Stefanko ^(https://lukasstefanko.com/).

Author: Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).