Android threat that steals victim login
credentials for mobile banking applications was recently found on Google Play.
App “Easy Rates Converter” was
available on the Store for six days and downloaded over 500 times before it was
This Trojan lures victims into inserting their
login credentials for social media, mobile banking and cryptocurrency apps.
List of targeted apps is requested after start from the attacker server, based
on installed apps on infected device. This list and code responsible for
impersonating legitimate applications are received from the attacker’s server
and then stored in database.
After launch, Trojan drops malicious component from assets that downloads additional malicious payload from the attacker’s server. In this particular case, it downloads banking Trojan family – Red Alert 2. Downloaded payload is responsible for malicious functionality. Attacker can theoretically exchange link to downloaded different malicious app.
After authorization, server sends more than one link to malicious applications. These apps and links are probably generated on the server.
Once app is downloaded, it demands user to manually install it. If user cancels the installation, it will not help, because this request is displayed until victim is annoyed enough to install it. The same applies to Activate device administrator for it.
Installed Update Flash Player sends names of installed apps to the attacker’s
server. Scripts on the server evaluates these apps and send back which apps
should be targeted, including HTML code responsible for fake activity displayed
to the victim. These information are stored in database, so after infection I
could identify targeted apps. These aimed applications could be dynamically
updated based on apps installed afterwards.
Banking Trojan sets triggers and waits in the background until one of the targeted apps is launched. Once app is executed (from templateName column), malware uses over the screen phishing to display its own malicious activity to trick the victim into entering his credentials. Credentials are then sent to the attacker server. This banker is also capable of bypassing SMS two factor authentication (2FA).
Activities in foreground (Update Flash Player) belongs to the
malware and overlays targeted activities in the background.
Video analysis of this threat contains:
1) How potential victim can get infected
2) How it steals users credentials for
3) Code analysis
4) How to remove it
How to remove it
At first, victim needs to deactivate device administrator rights for it by going to Settings-> Security -> Device administrators -> Secured protection-> Deactivate and then uninstall from Settings-> Apps/Application manager -> Update Flash Player -> Uninstall
FYI these apps use different names in both of these settings.
dropper was recently discovered by ^(
but with different malicious payload – Anubis.
If you would like to replicate this analysis, you can download this APK sample from Koodous project for free here:^(
The post^( appeared first on ^( .