BankBot banking malware found in flashlight and solitaire apps
BankBot
BankBot is a banking malware that was discovered back in 2008 targeting third-party sites, but in 2014 it graduated and successfully made it to the Google Play Store to infect Android apps. Once installed, the malware conducts phishing attacks to show fake versions of banking apps and gain administrative privileges before removing the icon of the app, tricking the user into believing that the app has been deleted.
In reality, however, the app continues to work in the background. Furthermore, the malware spies on SMS sent by the user, collect sensitive information such as credit card numbers, CVC number, its expiration date and user’s home address. It is also able to collect device specs such as a list of installed apps, OS version, IMEI, and phone model and send it to the hacker.
BankBot In Utility Apps
Previously, BankBot was found in fake Adobe Flash Player, Cryptocurrencies Market Prices app, Banking and Entertainment apps. This time, however, BankBot was caught hiding behind flashlight and solitaire gaming apps targeting customers from 131 banks worldwide including Wells Fargo, DiBa, Chase, and Citibank.
According to a blog post by Nikolaos Chrysaidos, head of mobile threat intelligence and security at Avast:
“The malicious activities include the installation of a fake user interface that’s laid over the clean banking app when it’s opened by the user. As soon as the user’s bank details are entered, they are collected by the criminal. In some countries, banks use transaction authentication numbers (TANs), a form of two-factor authentication required to conduct online transfers often used by European banks. The authors of BankBot intercept their victims’ text message that includes the mobile TAN, allowing them to carry out bank transfers on the user’s behalf.”
No comments