Like a whining child, the trojan won't give up until it gains device admin privileges so it can carry out its attacks

May 5, 2016 13:15 GMT  ·  By

Security researchers detected a new type of Android malware that constantly and relentlessly pesters users for device admin permissions until the user gives in. Avast says it detects this trojan under the name Android:Banker-IR [Trj] (Android Banker in this article).

The infection takes place using social engineering, with the malware author tricking the user into downloading and then installing apps infected with his trojan.

Trojan packed inside MMS Android applications

After installation, the malicious app adds icons to the user's homescreen with the following names: AVITO-MMS, KupiVip and MMS Центр (MMS Center).

If the user launches any of these apps, the trojan's malicious activity starts, and the first thing it will do is initiate a timer that constantly shows a popup on the screen that asks the user to give device admin privileges to the new app.

As soon as the user dismisses the popup, a new one crops up in its place right away, again, and again, and again. Unless given admin privileges, the user will have to restart the device, and then reset it to factory settings to remove Android Banker from his smartphone.

"On Marshmallow, you can try to uninstall the app even with the annoying screens popping up all the time, by going to settings with the top-down swipe," Avast's Jan Piskacek also added. "This approach, however, doesn’t work on KitKat version of Android."

The trojan also wants to be the phone's default SMS application

If the user gives in and grants it admin privileges, the trojan then shows another annoying popup, this one asking the user to set its app (AVITO-MMS, KupiVip and MMS Центр (MMS Center)) as the phone's default SMS application.

Once users give it these privileges, the trojan begins its truly nefarious behavior. Android Banker first establishes a connection to its C&C server and then starts collecting a lot of technical information about the local device.

The type of data the trojan harvests and then sends to its master server includes details about the Android OS version, the phone's technical specs, network settings, phone number, SIM serial number, and info about the trojan itself, like its version number, and if it managed to get admin privileges and the default SMS app slot.

Android Banker also wants your credit card number

After this, Android Banker will attempt to fool the user into entering his credit card number into a popup form. To do this, the trojan shows a popup, labeled with Google Play's logo, asking the user to "update" his payment information. The dead giveaway is in the Google Play logo, where the crook has misspelled Play with a lowercase "p."

Besides stealing credit card info, Avast researchers also say the trojan is also capable of downloading other apps, prompting the user to install them, and harvesting call logs, SMS messages, the user's contact list, GPS coordinates, a list of installed applications, and browser bookmarks.

Additionally, the trojan is also able to lock the screen on demand, and even redirect calls to a specific number, both useful features when the crook may attempt to use the stolen credit card numbers to commit online fraud.

Researchers say they've first seen the trojan at the start of February, when they also saw the biggest infection numbers, and that most victims were Russian users, followed by the US and a few countries in Europe.

Android Banker infections by the numbers
Android Banker infections by the numbers

Photo Gallery (2 Images)

Android Banker mode of operation
Android Banker infections by the numbers
Open gallery