— Trustlook Research Team
Trojans are pieces of software that appear as legitimate applications while exhibiting malicious behavior. Banking Trojans are specifically designed to steal a user’s online banking credentials. The research banking trojan package, discovered and detected by Trustlook, can be identified as having the following characteristics:
- MD5: d6d2427df4c03a7cc61c97b4eebdd655
- SHA256: 1974c82877a3abdffa6f9246138a3819c2c543a9c904a753bea3663bd21d9239
- Size: 577590 bytes
- App name: 2ГИС (Russian)
- Package name: ru.drink.lime
The package icon is:
The app targets clients of Russian financial institutions, as such banking clients. The malware earmarks potential clients by using text written in the Russian language to create a false sense of security. The malware has the ability to receive commands that will send and intercept SMS messages. Using the account information and password, a hacker is able to validate a money transfer via SMS messaging commonly popular in Russia.
The app forces the user to grant the device admin to maintain the persistence on the system:
If the user denies the device access or permission, the app enters a loop and keeps popping up the Activating admin window. The follow code snippets are used to perform the actions:
After installation, the app removes its own icon to hide from the user.
The app communicates with a remote server and sends out some personal information:
The following code snippets demonstrate the above behaviours:
The app checks for if the following packages are installed:
It then checks for if one of the above apps is running and starts service accordingly, to copy content found in forms used by legitimate financial institutions in their client apps.
The following is code snippets sample used by the malware to show the interface for “ru.sberbankmobile” banking app:
The malware creates a SQL database to store the collected information, the table in the database has the following structure:
- client_id integer
- client_password TEXT
- need_admin integer
- need_card integer
- first_bank integer
- need_sber integer
- need_tinkoff integer
- need_vtb integer
- need_alpha integer
- need_raiff integer
- server TEXT
- filter TEXT
- exist_bank_app integer
The malware is capable of communicating with the remote server to receive commands that will send/receive SMS message, the attacker can use this to do mobile fund transfers once they acquire the user’s banking credentials. The malware intercepts SMS messages and can abort the broadcast of the message so no new message delivery notifications are shown to the end user.
This malware uses some instruction strings to communicate with a remote server, the strings are shown below: