News

Published on June 17th, 2015 📆 | 6867 Views ⚑

0

Android Users Targeted by Sberbank Mobile Banking Trojan


iSpeech
Security researchers are warning Android users to be wary of a trojan being distributed by third-party app stores and file-sharing sites that appears to be a legitimate online mobile banking application.

“Due to the fact that a compromised application looks and operates as a legitimate one, potential victims are very likely to install it on their mobile devices,” the researchers said.

“However, instead of a real program, users get a modified version containing a Trojan able to perform different malicious actions on the infected device.”

[adsense size='1']

The malware, dubbed Android.BankBot.65.origin, was injected by attackers into mobile banking software designed for Sberbank, a large financial institution based in Russia which also has extensive operations in Eastern Europe.

“By adding malicious functionality to the program, Cybercriminals modified it and planted the new version on one popular website dedicated to mobile devices. The compromised copy of an application operates exactly like its original version,” the team said.

“Users do not expect the downloaded program to be a malicious one, which puts their confidential data in danger. So far, more than 70 Android devices’ owners have already downloaded the modified application.”





Analysis reveals that Android.BankBot.65.origin creates a special configuration file and then establishes a connection to the command and control (C&C) server to send it the following data using a POST request:

  • IMEI
  • Mobile network operator
  • MAC address of the Bluetooth adapter
  • Data on availability of QIWI Wallet
  • API version of the device
  • Trojan’s version
  • Trojan’s package name
  • Currently executed command

The malware can then send an encrypted file with the target’s contacts to the C&C server, intercept incoming SMS text messages, and send texts to numbers under the control of the attackers.

[adsense size='1']

This allows the attackers to illicitly transfer funds from the target’s accounts to those under their control, or initiate fraudulent texts instructing the target that their credit card has been blocked and instruct them to call a specified number in order to harvest more financial information.

Android mobile device users should use caution when choosing their applications for download, and should only obtain software from Google Play, or from official websites of their financial organizations to help prevent such abuses.

Tagged with: • • • • •



Comments are closed.






Š Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑