The Android banking trojan BrazKing has returned, this time with dynamic banking overlays and a new implementation trick that allows it to operate without seeking potentially dangerous permissions. IBM Trusteer researchers analyzed a new malware sample they discovered outside of the Play Store, on sites where individuals end up after getting smishing (SMS) messages. These HTTPS sites notify potential victims that their Android version is outdated and offer an APK that would supposedly update them to the most recent version.
BrazKing took advantage of the accessibility service in the previous version to figure out which app the user had accessed. When the malware recognized the launch of a targeted banking app, it displayed an overlay screen pulled from a hardcoded URL on top of the real app. It now makes a live call to the attacker's server, requesting those matches. The virus now detects which app is being used on the server-side, and it sends on-screen material to the C2 on a regular basis. Credential grabbing is then initiated by the C2 server rather than by a command from the malware.
The added agility here is that the attacker can choose or avoid the following action based on the victim's IP address (Brazilian/other) or whether the malware is being run on an emulator. They have the ability to change what is returned. They can change the target list at any time without having to change the malware.
BrazKing loads the fake screen's URL from the C2 into a webview in a window when it displays its overlay screen. Users can open links within apps using Android System webview without having to exit the app. When adding the webview from within the accessibility service, BrazKing utilizes TYPE_ACCESSIBILITY_OVERLAY as the type of window.
Internal resources are protected in the new version of BrazKing by performing an XOR operation using a hardcoded key and then encoding them with Base64. Although analysts can rapidly reverse these procedures, they nonetheless aid the malware's ability to remain undetected when nested in the victim's device. If the user tries to remove the malware, it rapidly taps the 'Back' or 'Home' buttons to stop it.
When a user tries to start an antivirus app in the hopes of scanning and removing malware, the same method is performed. As Android's security tightens, malware developers quickly adapt to deliver stealthier versions of their tools, as shown by BrazKing's progression.
