Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
Security Research

Android Banking Trojan And SMS Stealer Floating In The Wild

image
VIRAL GANDHI
February 02, 2015 - 3 分で読了
 
 
We recently came across an Android Banking Trojan with a very low antivirus detection rate that is targeting Chinese mobile users. This Android malware is capable of stealing banking information by intercepting SMS messages looking for certain keywords. It also steals all the contact information from the user's mobile device and relays it to a remote Command & Control (C2) server.

Malicious Android package details
 
  • Name : 888.apk.
  • MD5 :  ff081c1400a948f2bcc4952fed2c818b.
  • VT : 7/56 (at the time of analysis)
  • Source: http://wap{.}jhgxc{.}com/888.apk
 
Functionality
 
  •  Intercept and capture all incoming and outgoing SMS messages
  •  Intercept incoming calls and the ability to end calls
  •  Receive C2 commands via SMS
  •  Sends stolen data via SMS, e-mail, and possibly web requests to the C2 server
Let's take a look at some of the above mentioned malware features and how they have been implemented:
 
Image
Email sent SMS
 
In the screenshot above, you can see that it is e-mailing the captured outbound SMS messages using a hardcoded 163.com email address. It e-mails the stolen data to itself with the subject "Send SMS".
 
Image
Email and SMS all sniffed data
 
 
Here you can see that it is e-mailing the captured inbound SMS messages using the same parameters that it used for outbound SMS messages. Additionally, it is also relaying the same information via SMS to a hardcoded Chinese phone number "15996581524".
 
Image
Intercepting call
 
The above screenshot shows the ability to intercept incoming calls and send the caller's number via e-mail with subject "Intercept incoming call once the call!". It also has the ability to end the call.
 
Image
Receives SMS as commands.
 
It's also capable of receiving C2 commands via SMS from the malware author to act further.
 
Image
Commands to act
 
As seen in the screenshot above, the attacker can start the data capturing activity by sending the SMS command "intercept#" and can also stop the capturing activity by sending SMS command "interceptstop#".
 
Image
Banking strings
 
In the screenshot above, you can see that there are string checks in place which are related to online banking transactions. It checks for strings like "Pay","Check","Bank","Balance","Validation"  which clearly shows the intent of the malware author to sniff banking related information.
 
Image
Setting high priorities
 
The malware sets the SMS receiver and outgoing call services to high priority. This will ensure that the malicious application will get a higher preference for these events compared to other applications.
 
Image
Web request for sending stolen contacts
 
We also saw some code that can allow the malware to send stolen contact information & SMS data through web requests. However, it appears to be non-functional in this version and the malware author might still be testing out this feature, as seen by the usage of the private IP address:
 
Image
Web request for sending stolen SMS data


The following are screenshots showing a sample of stolen information that the malware author has been able to capture through these malicious APK infections till now:
 
Image
Sent email section
Image
E-mailed stolen SMS message
Image
Intercepted incoming call notification
 
Image
SMS matching online banking strings
 
Image
Stolen contact information

 
Image
Infected mobile users.
Image
Intercepted online banking SMS
Image
Intercepted online banking SMS
 
Here you can see some serious financial information sniffed by this malware illustrating the impact of such banking sniffers.
 
-Viral.

 
form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。