A previously unreported Android banking trojan targeting users of the Spanish financial services business BBVA has been spotted in the wild.
The malware, named 'Revive' by Italian cybersecurity firm Cleafy and believed to be in its early stages of development, was first discovered on June 15, 2022, and propagated via phishing operations.
"The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working," Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up.
Downloadable from malicious phishing websites ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com"), the malware impersonates the bank's two-factor authentication (2FA) app as a bait to mislead users into installing the software and is reported to be inspired by open-source spyware dubbed Teardroid, with the authors altering the original source code to integrate new features.
In contrast to other banking malware that are known to target a wide range of financial apps, Revive is targeted for a single target, in this case, the BBVA bank. However, it is similar to its competitors in that it uses Android's accessibility services API to achieve its operational goals.
Revive is primarily designed to gather the bank's login credentials via lookalike websites and allow account takeover attacks. It also has a keylogger module to record keystrokes and the ability to intercept SMS messages sent by the bank, particularly one-time passwords and two-factor authentication codes.
"When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls. After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] of the TAs," the researchers further stated.
The findings emphasise the importance of exercising caution while installing software from unknown third-party sources.
