Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Android Banking Trojan. Show all posts

Google Authenticator Codes for Android is Targeted by Nefarious Escobar Banking Trojan

 


'Escobar' virus has resurfaced in the form of a novel threat, this time targeting Google Authenticator MFA codes. 

The spyware, which goes by the package name com.escobar.pablo is the latest Aberebot version which was discovered by researchers from Cyble, a security research firm, who combed through a cybercrime-related forum. Virtual view, phishing overlays, screen captures, text-message captures, and even multi-factor authentication capture are all included in the feature set. 

All of these characteristics are utilized in conjunction with a scheme to steal a user's financial data. This malware even tries to pass itself off as McAfee antivirus software, with the McAfee logo as its icon. It is not uncommon for malware to disguise itself as a security software; in fact, it was recently reported that the malware was installed straight inside of a completely functional 2-factor authentication app. 

The malicious author is leasing the beta version of the malware to a maximum of five customers for $3,000 per month, with threat actors getting three days to test the bot for free. After development, the threat actor intends to raise the malware's price to $5,000. 

Even if the overlay injections are curtailed in some way, the malware has various other capabilities to make it effective against any Android version. In the most recent version, the authors increased the number of aimed banks and financial organizations to 190 entities from 18 countries. 

The malware asks a total of 25 rights, 15 of which are employed nefariously. To name a few, accessibility, audio recording, read SMS, read/write storage, acquiring account lists, disabling keylock, making calls, and accessing precise device locations. Everything the virus captures, including SMS call records, key logs, notifications, and Google Authenticator codes, is sent to the C2 server. 

It is too soon to gauge the popularity of the new Escobar malware among cybercriminals, especially given its exorbitant price. Nonetheless, it has grown in strength to the point that it can now lure a wider audience. 

In general, avoiding the installation of APKs outside of Google Play, utilizing a mobile security application, and ensuring the Google Play Protect is enabled on your device will reduce, the chances of being infected with Android trojans.

A New Android Banking Trojan Targeting Europeans is Spreading Through Google Play Store

 

A new Android banking malware with over 50,000 installations has been discovered and disseminated via the official Google Play Store, with the purpose of targeting 56 European banks and stealing sensitive information from affected devices. The in-development malware, dubbed Xenomorph by Dutch security firm ThreatFabric, is reported to share similarities with another banking trojan known as Alien while yet being "radically different" in terms of functionality given. 

Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA stealing features, emerged shortly after the iconic Cerberus malware was decommissioned in August 2020. Other Cerberus forks have been detected in the wild since then, including ERMAC in September 2021. Xenomorph, like Alien and ERMAC, is another Android banking trojan that tries to avoid Google Play Store security by posing as productivity apps like "Fast Cleaner" to deceive unsuspecting victims into installing the malware. 

Fast Cleaner, which has the package name "vizeeva.fast.cleaner" and is still available on the app store, has been most popular in Portugal and Spain, according to Sensor Tower data, with the app making its initial appearance in the Play Store at the end of January 2022. 

This Android Banking malware is still under development and mostly offers the bare minimum of capabilities expected of a modern Android banking trojan. It’s primary attack vector is the use of an overlay attack to steal credentials, along with SMS and Notification interception to log and use potential 2FA tokens. The Accessibility engine that powers this malware, as well as the infrastructure and C2 protocol, have been meticulously developed to be scalable and updatable. 

"Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." 

The data recorded by this malware's logging capability is vast, and if sent back to the C2 server, it may be used to execute keylogging as well as collect behavioural data on victims and on installed applications, even if they are not on the list of targets. 

In the first stage, the malware sends back a list of installed packages on the device, and then it downloads the necessary overlays to inject based on which targeted application is present on the device. Xenomorph supplied a list of overlay targets that included targets from Spain, Portugal, Italy, and Belgium, as well as some general-purpose applications such as emailing services and cryptocurrency wallets.

Threat Actors Blanket Androids with Flubot & Teabot Campaigns

 

Researchers have found a bundle of dynamic campaigns transmitting the Flubot and Teabot trojans through a variety of delivery strategies, with threat actors utilizing smishing and pernicious Google Play applications to target victims with fly-by assaults in different locations across the globe. 

Specialists from Bitdefender Labs said they have caught more than 100,000 malignant SMS messages attempting to transmit Flubot malware since the start of December, as indicated by a report distributed Wednesday. 

During their analysis of Flubot, the team additionally found a QR code-peruser application that has been downloaded more than 100,000 times from the Google Play store and which has disseminated 17 different Teabot variations, they said. 

Flubot and Teabot surfaced on the scene last year as somewhat clear financial trojans that take banking, contact, SMS and different kinds of private information from infected gadgets. Be that as it may, the administrators behind them have interesting strategies for spreading the malware, making them especially nasty and expansive. 
 
Flubot was first founded in April focusing on Android clients in the United Kingdom and Europe using noxious SMS messages that nudged recipients to introduce a "missed package delivery" application, exhibiting a component of the malware that allows attackers to utilize command and control (C2) to send messages to victims. 

This feature permits administrators to rapidly change targets and other malware highlights on the fly, augmenting their assault surface to a worldwide scale without requiring a complex framework. For sure, campaigns later in the year targeted Android users in New Zealand and Finland. 

“These threats survive because they come in waves with different messages and in different time zones,” Bitdefender researchers wrote in the report. 

“While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing. For example, in the month between Dec. 1 of last year and Jan. 2 of this year, the malware was highly active in Australia, Germany, Spain, Italy and a few other European countries.”   

Campaigns between Jan. 15 and Jan. 18 then, at that point, moved to different parts of the globe, including Romania, Poland, the Netherlands, Spain and even Thailand, they found. 
 
Attackers likewise spread out past attempting to fool users into thinking they missed a package delivery- what Bitdefender named "fake courier messages" - to disseminate Flubot. However this strategy was available in almost 52% of campaigns specialists noticed, they likewise utilized a trick named "is this you in this video" that is a take-off of a credential-stealing campaign that has been streaming steadily via web-based media in around 25% of noticed missions, analysts wrote. 

“When the victim clicks on the link, it usually redirects them to a fake Facebook login that gives attackers direct access to credentials,” researchers explained. 

Flubot administrators have gotten on this trick and are involving a variety of it in one of the smishing efforts noticed, with clients getting an SMS message that inquires, "Is this you in this video?" researchers noted. In any case, the objective of the mission is very similar: to some way or another trick users into installing the software under some cover. 

“This new vector for banking trojans shows that attackers are looking to expand past the regular malicious SMS messages.”
  
Among different lures, Flubot administrators likewise utilized SMS messages utilizing counterfeit program updates and phoney phone message notices in around 8% of noticed campaigns, separately, analysts stated.

Flubot Malware Targeting Users by Masquerading as Adobe Flash Player

 

The Android malware FluBot has resurfaced again with new features. The banking Trojan is now tricking victims by posing as an Adobe Flash Player and luring users to download malicious software that steals data. 

The banking Trojan targeted Polish users via SMS asking them to click on a link to watch a video. Upon clicking on the link, users were redirected to a page offering a fake Flash Player APK that installs the FluBot malware on the Android device. Once installed, the malware can steal online banking credentials, send or intercept SMS messages (and one-time passwords), and capture screenshots.

The stolen data is then delivered to the malicious actors. As a second step, the malware uses the victims’ device to send new smishing messages to all of their contacts, and it usually spreads like wildfire. 

Anyone who receives suspicious texts or links asking them to load the flash player should simply ignore it, do not click any links that have been sent, and delete the messages instantly, researchers from Polish cybersecurity firm CSIRT KNF told while advising users. 

The malware was first identified in late 2020, targeting Spanish users. Last year in March, researchers from Swiss security outfit PRODAFT estimated that the number of comprised devices worldwide was approximately 60,000. Since October 2021, attackers behind the malicious code are leveraging fake security updates to lure victims into installing the malware. The attackers use fake security warnings of Flubot infections and urge them to install the security updates. 

With the release of the most recent version 5.2, the DGA (domain generation algorithm) system received much attention from the malware authors, as it’s vital in enabling the actors to operate unobstructed.

“In version 5.2 a new command, UPDATE_ALT_SEED, is introduced. It enables the attackers to change the DGA (domain generation algorithms) seed remotely. Once such a command is dispatched, FluBot stores the updated seed inside the shared preferences under “g” key,” reads the report published by F5 researchers. 

The feature allows operators to elude DNS blocklists in an attempt to isolate the C2 infrastructure. In its latest version, FluBot’s DGA uses 30 top-level domains instead of just three used previously and also features a command that allows attackers to change the seed remotely. On the communication side, the new FluBot now connects to the C2 through DNS tunneling over HTTPS, whereas previously in version 4.9, it used direct HTTPS port 443.

Over 300,000 Devices Compromised by Four Android Banking Trojans

 

Researchers at cybersecurity firm ThreatFabric have unearthed four different Android banking trojans that were distributed via Google play store between August and November 2021 and infected more than 300,000 devices through multiple dropper apps. 

According to Threatfabric analysts, the dropper apps were manufactured to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra, and the malware campaign was designed in such a refined way that payloads were installed only on smartphones devices from specific areas and restricting the malware from being downloaded during the publishing process. 

Once installed, this banking malware can perform classic overlay assaults to siphon user passwords and SMS-based two-factor authentication codes, keystrokes, screenshots, and even drain users' bank accounts without their knowledge by using a weapon called Automatic Transfer System (ATSs). The apps have since been removed from the Play Store. 

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” reads the analysis published by the Threatfabric researchers. 

“VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.” 

The list of malicious dropper apps is below - 

• Two Factor Authenticator (com.flowdivison) 
• Protection Guard (com.protectionguard.app) 
• QR CreatorScanner (com.ready.qrscanner.mix) 
• Master Scanner Live (com.multifuction.combine.qr) 
• QR Scanner 2021 (com.qr.code.generate) 
• QR Scanner (com.qr.barqr.scangen) 
• PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2) 
• PDF Document Scanner Free (com.doscanner.mobile) 
• CryptoTracker (cryptolistapp.app.com.cryptotracker) 
• Gym and Fitness Trainer (com.gym.trainer.jeux)

Additionally, researchers uncovered multiple samples dropped by the Brunhilda hacking group, which was also responsible for spreading the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda masquerading as a QR code creator app used to drop Hydra and Ermac malware targeting users in the United States, a market previously not targeted by the two malware families.

“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps. A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques,” researchers concluded.