Trojanized Sberbank mobile app lurking on third-party stores

“A Trojanized Android version of the Sberbank online banking mobile application is being distributed via third-party online stores and file-sharing sites, warns Russian AV maker Dr. Web.

Sberbank is a Russian bank, the largest in the country and Eastern Europe.

The application looks and performs like the legitimate one, but in the background it harvests information about the device, and is capable of performing a host of potentially malicious actions.

“Once the compromised version is installed and run, [the malware] creates a special configuration file containing operating parameters for the Trojan,” researchers explain.

After having established a connection to the C&C server, it sends to it information such as IMEI, name of the mobile network operator, data on the availability of a QIWI Wallet,the Trojan’s version, currently executed command, and more.

If the malware receives a specific command, it also sends an encrypted list containing the user’s contacts to the server.

The Trojan itself has the usual capabilities, such as to intercept incoming SMS messages and send out new ones, and to add text to incoming messages.

“Using these methods, cybercriminals can steal money from users’ bank accounts (by sending SMS commands to transfer money from the victim’s account to the account of cybercriminals or by intercepting messages containing verification codes) and implement other fraudulent schemes,” the researchers point out.

“For example, cybercriminals can plant a specially generated message informing the user that their credit card has been blocked and asking them to call the ‘bank’ at the specified number, or a message prompting the user to refill a mobile phone account of ‘a relative who got into some trouble,’ or some other message.”

So far, it seems that only around 70 users have downloaded the Trojanized app, but even that number is too high.

Mobile users should stick to downloading online banking applications only from reliable sources – official bank websites and official online app stores (Google Play in this case).”


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss