Android HijackRAT poised to hit mobile banking users

A highly versatile piece of Android malware has been unearthed by FireEye researchers.

Posing as “Google Service Framework”, the malicious app is capable of stealing phone and user information, banking credentials, and gives the malware peddler remote access to the device. And, in addition to all this, it’s also able to kill a range of AV apps.

Currently, this “framework to conduct bank hijacking” is targeting only customers of eight South Korean banks, but the malicious developer could easily target more in the future, and not just in South Korea.

Once installed on the computer, the malware – dubbed HijackRAT by the researchers – tries to pass itself off as the legitimate Google Services Framework app. Once run, the “Google Services” icon appears on the home screen.

When the user tries to run that, the app asks for administrative privilege. Users who grant it will find it impossible to uninstall the app unless they revoke these privileges in the device’s settings. Also, a pop-up saying “App isn’t installed” will appear, and the “Google Services” icon will disappear.

The malware contacts its C&C server (currently located in Hong Kong), and receives a list of tasks from it. These “orders” can include the exfiltration of phone details, contact lists, contents of text messages.

Another command orders the app to replace bank apps on the device if it finds one of the eight aforementioned apps.

“The eight banking apps require the installation of ‘com.ahnlab.v3mobileplus,’ which is a popular anti-virus application available on Google Play. In order evade any detections, the malware kills the anti-virus application before manipulating the bank apps,” the researchers explained.

The RAT then pops up a window with the message: “The new version has been released. Please use after reinstallation.” It will then try to download the “update” for the app, while simultaneously uninstalling the legitimate bank app.

“So far the part after the installation of the fake app is not finished yet,” the researchers noted, positing that the hacker is having some trouble concluding his work.

But, “given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon,” they warn.

Don't miss