Today, we're going to talk about a rather intelligent Bank malware which, instead of camouflaging itself as a certain app, identifies a running bank app then overlays a customized fake login page in place of the real bank app's login page.
What is this malware and how does it work?
Introducing Android.Fakelogin (which currently does not affect smartphones with the Marshmallow update). This malware can determine exactly what phishing bank page to display by accessing cloud-based logic that's hosted on a remote command and control(C&C) server.
Initially, this trojan comes as the payload from downloader malware that affects Android devices. It may come disguised as a legitimate app(be it a game app or something else) that attempts to download and install other malicious apps on the infected device.
Once installed, the malware tries to register as device administrator by trying to replace the user's default messaging app.
 |
| Android.Fakelogin attempts to replace the user's default messaging app |
When successful, the malware's app icon will be hidden from the user to avoid detection and deletion. It will also proceed to steal the user's data.
The Trojan downloads a list of application package names from the C&C server and saves it as a preference file. It then scans the infected device's apps and if an app matches a name on the server's provided list, the trojan sends the matched name back to the server. The server then replies with a phishing page for the targeted app. This Trojan does not need to be updated each time the targeted bank's app changes it's format or appearance because it uses a cloud-based approach.
If the user uses the targeted app, the trojan uses WebView to overlay the customized phishing page over the legitimate app's interface so that it can steal the user's login information and sends it to the attacker's remote server.
Article Ref: http://www.symantec.com/connect/blogs/android-banking-trojan-delivers-customized-phishing-pages-straight-cloud
No comments:
Post a Comment