Banking details are parsed and emailed to the attacker

Feb 3, 2015 14:28 GMT  ·  By

A newly discovered banking Trojan targeting Android users has been found to receive its instructions through short text messages, suggesting that the attacker is monitoring the activity of the victims.

Among the list of capabilities there is the possibility to intercept SMS communication, both incoming and outgoing, copying the list of contacts stored on the affected device. It can also intercept incoming calls and terminate the conversation.

All the information collected from the compromised Android is delivered to a remote command and control (C&C) server, whose address is hard-coded in the malware.

Info is delivered to hard-coded phone number

Security researchers at Zscaler have observed that the cybercriminal targets mobile banking users in China. Upon analyzing the threat, which seems to masquerade as a gambling app, they’ve noticed that the data amassed on the C&C server was delivered to the attacker via email.

On the same note, certain type of data can be selected and delivered via SMS to a Chinese phone number available in the malware code. One reason for this is that the remote server parses the received texts according to specific keywords and relays to the crook only the messages containing banking details.

As a security precaution, multiple banks have adopted the one-time password (OTP) authentication measure to ensure that access to the bank account is granted only to the true owner. As such, a supplementary verification code needs to be entered after providing the username and the password to log in.

The code can be generated by a physical token, or can be sent by the bank to the mobile phone of the user, via SMS; if the threat actor already has the log-in credentials, they can intercept the incoming OTP and unlock the online banking account.

The Trojan may be work in progress

When an incoming call is intercepted, the cybercriminal is also informed through an email with the subject “Intercept incoming call once the call!” and the phone number available in the body.

Starting and stopping the data capturing activity is controlled through text messages containing “intercept#” or “interceptstop#” commands.

Zscaler’s analysis revealed that the malware author created the code so that the threat was treated with priority by the operating system upon receiving text or initiating a phone call.

The malware may not be fully mature at the moment, as researchers noticed code that is not functional in the current version, suggesting that the author may be still tweaking things up.

“We also saw some code that can allow the malware to send stolen contact information & SMS data through web requests. However, it appears to be non-functional in this version and the malware author might still be testing out this feature,” Zscaler says.

Android Banking Trojan (5 Images)

Various messages from the banking service
SMS intercepted from online banking serviceInfected devices communicate info to the attacker
+2more