Android users, beware: source code and instructions for creating a potent Android banking Trojan have been leaked on a hacker forum, and researchers are expecting an onslaught of malware based on it.
In fact, one has already been spotted. Masquerading as a variety of benign apps (e.g. Google Play) on third-party Android app markets, the Trojan – dubbed Android.BankBot.149.origin by Dr. Web researchers – is eminently capable.
- Send and intercept text messages (including sending messages containing the text specified in a command to all contact list numbers)
- Harvest the victims’ contact list
- Track users via GPS-powered device geolocation
- Send USSD requests
- Show phishing dialogs for a number of banking, payment, IM and social networking apps (Sberbank Online, Bank of America, Visa Qiwi Wallet, PayPal, Google Play, Raiffeisenbank Online, Yandex.Money, Facebook, WeChat, Twitter, and so on – the list is long).
- Request additional permissions.
“When an SMS message arrives, the Trojan turns off all sounds and vibrations, sends the message content to the cybercriminals, and attempts to delete the original messages from the list of incoming SMS. As a result, a user could miss not only bank notifications about the unplanned transactions but also other incoming messages,” the researchers pointed out.
“Android.BankBot.149.origin uploads all the stolen data on the C&C server, and it becomes available on the administration panel. This helps cybercriminals to not only obtain the information they are interested in but also control the malicious application.”
Unsuspecting victims installing what they believe to be a benign app but is actually this piece of malware will be asked to give it administrator privileges. This allows the malware to hide itself from the home screen once it is installed, and makes it more difficult to uninstall.
The malware does not feature any innovative capabilities, but that doesn’t make it any less dangerous.
And, unfortunately, past examples of what happened when source code of popular malware was leaked point to an inevitable surge of malware based on it.
Users would do well to be extremely careful when reviewing apps for installation, and to be wary of apps that ask for administrative privileges.