A relatively new Android Trojan family has been bringing grief to users around the world, posing as a Flash Player or WhatsApp update, stealing online banking credentials, one time passwords (OTPs), and login credentials for popular Android apps.
FireEye researchers dubbed the family SlemBunk. They have analyzed over 170 samples of the malware they located in the wild, and found that, over time, the authors of the malware have been adding capabilities for targeting more and more financial institutions.
The latest variants are designed to imitate the legitimate apps of 33 financial management institutions and mobile payment service providers in the Asia Pacific region (many Australian banks), North America and Europe.
“When the app is launched for the first time, it activates the registered receiver, which subsequently starts the monitoring service in the background,” the researchers explained.
“On the surface it pops up a fake UI claiming to be Adobe Flash Player, or other advertised applications, and requests to be the device admin. Upon being granted admin privileges, it removes its icon from the launcher and remains running in the background. A corresponding UI requesting for authentication credentials shows up when one of the specified apps is detected running in the foreground.”
The user credentials entered by the victims into the fake login interfaces are sent to a remote C&C server. The malware also collects other information, such as device info, phone number, a list of installed apps, but also the login credentials of high profile Android applications (popular social media apps, utility apps, IM apps).
“We noticed the SlemBunk authors have invested time in making sure that the look and feel of the phishing UI closely resembles that of the original,” the researchers pointed out. “In some instances, the phishing interface requests that the user type in their credentials twice rather than once. It also forces the user to go through a fake verification process, which we suspect is to increase the user’s confidence in its authenticity.”
From the C&C server, the criminals can send commands to the malware, and instruct it to do a number of things, such as block calls from specific numbers, intercept text messages, mute the device’s audio system, wipe the data partition of the infected device, and more.
The fake apps carrying the malware have not been found on Google Play. The researchers say that the victims either download them from malicious websites (recently porn websites) or sideload them.