New Malware Is Recording Password Screens
Getty
The Anubis banking trojan generated headlines last year, hitchhiking its way onto Android devices through infected downloads from the Google Play Store. The malware would seek permission to use the device's accessibility services, keylogging its way to "stealing login credentials to banking apps, e-wallets and payment cards." Anubis was enabled by a "dropper" with a "proven ability to infiltrate Google Play and plant malicious downloaders under the guise of benign-looking apps."
BianLian was the "dropper" that pushed Anubis onto devices, "masquerading as simple applications that are always in demand, such as currency/rates calculators, device cleaners and even discounter apps." Threat Fabric reported that "to ensure that malware would stay on the victims’ device as long as possible, [BianLian's] applications were actually working and even had a good rating in the Google Play store."
The name BianLian, the Threat Fabric researchers explained, "is a reference to the Chinese theatrical art of changing from one face to another almost instantaneously." And those researchers predicted that "while still dropping Anubis, [BianLian] was on the way to becoming a full-blown banking trojan itself."
Little surprise then, that BianLian has now returned to do exactly that. Researchers at Fortinet have reported that the new and "improved" BianLian has morphed into a sophisticated malware that brings new techniques to the attack on banking apps, recording screens to steal credentials, locking out users to hide its activities, "rendering devices unusable."
Once BianLian has received permission to use a device's accessibility services, the attack can begin. Financial windows can be recorded using a new screencast module as users type in usernames and passwords, card details and account numbers. A cloaked communication channel can spirit all this back to the cybercriminals behind the attack. And BianLian's "dropper" legacy means that the malware is an expert at hiding itself from detection, bypassing safeguards on Google Play to reach its user base.
A list of banking apps targeted by BianLian can be found here.
Fortinet's Dario Durando warned that although BianLian "still seems to be under active development," the dangerous, updated functionality "puts it on a par with the other big players in the banking malware space."
Mobile banking malware is on the rise, with Kaspersky reporting that certain types of such attacks as much as tripled in 2018 over 2017. With that in mind, with the level of sophistication unearthed here, and with the clear warning that the level of sophistication will only get worse, it makes for bleak reading.
And so all eyes turn to Google and its battle to police Google Play, ensuring that malicious apps cannot get through its safeguards. But, as I reported last month, with thousands of malicious apps available for download, the tech giant has work left to do.
">
The Anubis banking trojan generated headlines last year, hitchhiking its way onto Android devices through infected downloads from the Google Play Store. The malware would seek permission to use the device's accessibility services, keylogging its way to "stealing login credentials to banking apps, e-wallets and payment cards." Anubis was enabled by a "dropper" with a "proven ability to infiltrate Google Play and plant malicious downloaders under the guise of benign-looking apps."
BianLian was the "dropper" that pushed Anubis onto devices, "masquerading as simple applications that are always in demand, such as currency/rates calculators, device cleaners and even discounter apps." Threat Fabric reported that "to ensure that malware would stay on the victims’ device as long as possible, [BianLian's] applications were actually working and even had a good rating in the Google Play store."
The name BianLian, the Threat Fabric researchers explained, "is a reference to the Chinese theatrical art of changing from one face to another almost instantaneously." And those researchers predicted that "while still dropping Anubis, [BianLian] was on the way to becoming a full-blown banking trojan itself."
Little surprise then, that BianLian has now returned to do exactly that. Researchers at Fortinet have reported that the new and "improved" BianLian has morphed into a sophisticated malware that brings new techniques to the attack on banking apps, recording screens to steal credentials, locking out users to hide its activities, "rendering devices unusable."
Once BianLian has received permission to use a device's accessibility services, the attack can begin. Financial windows can be recorded using a new screencast module as users type in usernames and passwords, card details and account numbers. A cloaked communication channel can spirit all this back to the cybercriminals behind the attack. And BianLian's "dropper" legacy means that the malware is an expert at hiding itself from detection, bypassing safeguards on Google Play to reach its user base.
A list of banking apps targeted by BianLian can be found here.
Fortinet's Dario Durando warned that although BianLian "still seems to be under active development," the dangerous, updated functionality "puts it on a par with the other big players in the banking malware space."
Mobile banking malware is on the rise, with Kaspersky reporting that certain types of such attacks as much as tripled in 2018 over 2017. With that in mind, with the level of sophistication unearthed here, and with the clear warning that the level of sophistication will only get worse, it makes for bleak reading.
And so all eyes turn to Google and its battle to police Google Play, ensuring that malicious apps cannot get through its safeguards. But, as I reported last month, with thousands of malicious apps available for download, the tech giant has work left to do.
Gloss