Banking Trojan targets clients of Russian financial institutions

— Trustlook Research Team

Trojans are pieces of software that appear as legitimate applications while exhibiting malicious behavior. Banking Trojans are specifically designed to steal a user’s online banking credentials. The research banking trojan package, discovered and detected by Trustlook, can be identified as having the following characteristics:

  • MD5: d6d2427df4c03a7cc61c97b4eebdd655
  • SHA256: 1974c82877a3abdffa6f9246138a3819c2c543a9c904a753bea3663bd21d9239
  • Size: 577590 bytes
  • App name: 2ГИС (Russian)
  • Package name: ru.drink.lime

The package icon is:

Screen Shot 2016-06-17 at 11.22.11 AM

The app targets clients of Russian financial institutions, as such banking clients. The malware earmarks potential clients by using text written in the Russian language to create a false sense of security. The malware has the ability to receive commands that will send and intercept SMS messages. Using the account information and password, a hacker is able to validate a money transfer via SMS messaging commonly popular in Russia.

The app forces the user to grant the device admin to maintain the persistence on the system:

Screen Shot 2016-06-17 at 11.25.28 AM

If the user denies the device access or permission, the app enters a loop and keeps popping up the Activating admin window. The follow code snippets are used to perform the actions:

Screen Shot 2016-06-16 at 9.59.45 AM

After installation, the app removes its own  icon to hide from the user.

The app communicates with a remote server and sends out some personal information:

Screen Shot 2016-06-17 at 11.27.07 AM

The following code snippets demonstrate the above behaviours:

Screen Shot 2016-06-16 at 10.00.47 AM

The app checks for if the following packages are installed:

  • ru.sberbankmobile
  • com.android.vending
  • com.idamob.tinkoff.android
  • ru.vtb24.mobilebanking.android
  • ru.alfabank.mobile.android
  • ru.raiffeisennews

It then checks for if one of the above apps is running and starts service accordingly, to copy content found in forms used by legitimate financial institutions in their client apps.

Screen Shot 2016-06-17 at 11.28.20 AM

 

Screen Shot 2016-06-17 at 11.29.04 AM

The following is code snippets sample used by the malware to show the interface for “ru.sberbankmobile” banking app:

Screen Shot 2016-06-16 at 10.01.43 AM Screen Shot 2016-06-16 at 10.02.14 AM

The malware creates a SQL database to store the collected information, the table in the database has the following structure:

  • client_id integer
  • client_password TEXT
  • need_admin integer
  • need_card integer
  • first_bank integer
  • need_sber integer
  • need_tinkoff integer
  • need_vtb integer
  • need_alpha integer
  • need_raiff integer
  • server TEXT
  • filter TEXT
  • exist_bank_app integer

The malware is capable of communicating with the remote server to receive commands that will send/receive SMS message, the attacker can use this to do mobile fund transfers once they acquire the user’s banking credentials. The malware intercepts SMS messages and can abort the broadcast of the message so no new message delivery notifications are shown to the end user.

Screen Shot 2016-06-16 at 10.02.58 AM

This malware uses some instruction strings to communicate with a remote server, the strings are shown below:

  • taskUsssd
  • taskSms
  • deliverySms
  • okSmsSend
  • errorSmsSend

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s