Monday, February 22, 2016

Are you sure about your bank app updates?

Nowadays, people conveniently use their smartphones to bank and pay for their purchases or make some transactions. Cyber criminals are especially interested in this and are trying their best to trick people into giving their bank credentials. 

Que in AndroidOS_Marchcaban.HBT, one of the latest Banking malware discovered in 2015.

 This malware is acquired through spam emails. When a user receives a fake email from PayPal in their spam folder and telling them to install an app update for PayPal with a link attached on the message, users should be wary. Because, Point A, why is a PayPal message in your spam mail. Point B, the sender's email address is NOT an official PayPal email address. Point C, If the user clicks on the download button, it will NOT lead to an official Google Play Store app page aka it is NOT a Google Play Store hosted app.

sample fake email from PayPal

This Trojan not only disguises itself as a fake PayPal app, but it also copies various high-profile European Banks as well, namely, Commerzbank.

Let's get technical!
When a user proceeds to download and install the app, this malware requests for Administrator Rights and other additional permissions that aren't necessary for a PayPal app. It then creates a seemingly legitimate looking PayPal app icon on the infected device's Application Manager. 
the app's list of permission requests

This trojan has a little trick up its sleeve. Because even if the user decides to cancel its activation/not grant the app Administrator Rights, the Trojan will disappear from the home screen and continue to run in the background. It will also be taken out from the launcher screen.

 The Trojan then monitors the infected device's activity. If the malware detects that the user is currently using a real PayPal app, it will hijack the real PayPal app and place a fake PayPal UI instead so that it can steal the user's PayPal credentials. The malware also intercepts and filters the user's SMS messages so that its malicious deeds will be unnoticed by the user. This malware can also initiate phone calls based on received commands from a certain SMS message coming from the malware's developer.



Article Ref: http://blog.trendmicro.com/trendlabs-security-intelligence/german-users-hit-by-dirty-mobile-banking-malware-posing-as-paypal-app/
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)