BankBot Malware Slips Into Google Play Yet Again

A new version of a persistent family of banking malware has been discovered on Google Play, after at least four previous versions were removed from Google’s official Android app store earlier this year.

The latest variants of the BankBot Trojan pose as flashlight apps, solitaire games or smartphone cleaner software, according to an advisory jointly published by security firms Avast, SfyLabs and ESET.

The researchers said they first spotted the flashlight apps on 13 October, and detected the infected games and cleaner apps in late October and early November.

Some variants remained on Google Play until as late as 17 November, the researchers said on Monday. They said the apps had been downloaded by thousands of users.

Credential theft

“Instead of bringing light, joy and convenience into their users’ lives, the dark intention of these apps has been to spy on users, collect their bank login details and steal their money,” the researchers said in their advisory.

BankBot attempts to steal users’ banking login credentials by drawing an overlay window on top of mobile banking apps’ login screens. The window is tailored to exactly match any one of dozens of legitimate banking apps, including those from Wells Fargo, Chase and Citibank in the US, Credit Agricole in France, Santander in Spain and Commerzbank in Germany.

The researchers partially decrypted a list of 160 mobile apps found within the malware, identifying 132 of them, which are listed in the advisory.

BankBot is also capable of intercepting text messages, enabling it to thwart the two-factor authentication systems used by many European banks.

This capability means hackers can steal an authentication code sent by a bank to the user’s smartphone and use it to authorise a transfer of funds.

But the malware isn’t active in the Ukraine, Belarus or Russia, likely to avoid attracting the attention of law enforcement authorities in those countries, researchers said.

The BankBot developers are remarkable in having circumvented Google Play’s malware detection systems a number of times this year.

Tricking Google Play

The latest version waits two hours after obtaining administrator privileges to a device before beginning its malicious activities, which researchers said was probably a technique to avoid detection by Google. The apps have also been published under a number of different developer names.

BankBot was previously reported on Google Play in April and September. At the beginning of November researchers at RiskIQ found a version that concealed itself as an app for tracking the market price of virtual currencies.

The apps used as camoflage deliver real functionality – another ploy for evading detection, researchers said.

Upon initial installation BankBot requests a number of intrusive permissions, and it then downloads additional software which poses as an official Google update and requests administrator rights, researchers said.

Devices must be configured to accept installations from third-party app stores or the installation will fail, they said.

Background clicks

Previous versions used techniques such as performing clicks in the background via an Android Accessibility Service to enable app installation from unknown sources, but Google blocked that feature for most apps earlier this autumn, meaning it can no longer be used by BankBot.

Researchers released a video in which the app can be seen drawing a malicious interface for the Czech Airbank mobile application, which appears milliseconds after the launch of the real app.

They recommended installing apps only from trusted sources and examining the permissions of software when it’s installed on a device.

Do you know all about security in 2017? Try our quiz!