Fake Banking Rewards Apps Install RAT to Steal Information on Android Phones
The Microsoft 365 Defender Research Team has published its findings on a new version of a previously reported information-stealing Android malware, highlighting that threat actors are continuously evolving their attack spectrum.
According to Microsoft researchers, the malware is being delivered in a currently active SMS campaign and masquerading as a bank rewards app. The campaign’s primary target is Indian banking customers. It starts with threat actors sending out messages that contain a URL that basically lures the recipient into downloading malware.
Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.
The infection chain starts with an SMS message asking the recipient to claim a reward from an Indian bank. This message contains a malicious link that redirects the user to download a fake bank rewards application. This app is detected as: “TrojanSpy:AndroidOS/Banker.O”
The app’s C2 server is connected to 75 different malicious APKs, all of which are based on open source intelligence. The research team identified many other campaigns targeting Indian banking customers, including:
Their research revolved around icici_rewards.apk, represented as ICICI Rewards. The malicious link inside the SMS message installs the APK on the recipient’s mobile device. After installation, a splash screen showing the bank logo prompts the user to enable specific permissions for the app.
According to Microsoft’s blog post, what makes this new version different is the inclusion of additional RAT (remote access trojan) features. Also, this malware is very stealthy. The RAT features allow attackers to intercept critical device notifications, such as incoming messages, and also try to intercept 2FA messages that the user needs to access banking/financial apps.
The malware can steal all SMS messages and other data, such as OTP (One Time Password) PII (Personally Identifiable Information), to help steal sensitive information for email accounts.
The malware runs in the background using the MainActivity, AutoStartService and RestartBroadCastReceiverAndroid functions to execute its routines and ensure that these continue to run to maintain persistence on the mobile device.
The MainActivity (startup activity) is first started to display the splash screen and then calls the OnCreate() method to check the device’s internet connection. It also records the timestamp of the malware installation. Permission_Activity launched permission requests and later called AutoStartService, the malware’s main handler, and login_kotak.
This malware’s continued evolution highlights the need to protect mobile devices. Its broader SMS stealing capabilities could allow attackers to steal data to further steal from a user’s other banking apps. Its ability to intercept one-time passwords (OTPs) sent over SMS impedes the protection provided by banks’ two-factor authentication mechanisms, which users and institutions rely on to keep their transactions secure.
Microsoft 365 Defender Research Team
To reduce the threat, Android device users should disable the Unknown sources option to prevent app installation from unverified sources. And they must rely on trusted mobile security solutions to detect malicious apps.
- SpyNote Trojan (RAT); Another bad news for Android users
- BRATA Android malware factory resets phones after stealing funds
- New MaliBot Android malware found that steals personal, banking data
- Fake Netflix, WhatsApp, Facebook Android apps contain SpyNote RAT
- New Russian Android malware tracks GPS location and spies on victims