NPC Seal
We use cookies to ensure you get the best browsing experience. By continued use, you agree to our privacy policy and accept our use of such cookies. For further information, click FIND OUT MORE.
I AGREE FIND OUT MORE
x
advertisement
Filtered by: Scitech
SciTech

New Android malware found to be self-updating, remote-controlled Trojan


A new self-updating, remote-controlled Trojan malware is out to steal banking data, and is targeting devices running Google's Android platform.
 
Computer security firm McAfee said the malware distinguishes itself from other malware like Zeus and SpyEye by combining man-in-the-middle and remote-control capabilities.
 
"(This new Android malware) has the man-in-the-middle functionality but, unlike Zeus and SpyEye, also can be controlled remotely and can grab the initial password from a mobile device without infecting the user’s PC," researcher Carlos Castillo said in a blog post.
 
McAfee Mobile Security detects this threat as Android/FakeToken.A, he said.
 
Castillo said this new app targets specific well-known financial entities posing as a Token Generator application.
 
When the application is installed, the malware uses the logo and colors of the bank in the icon of the application, making it appear more credible to the user.
 
"When the application executes, it shows a WebView component that displays an HTML/JavaScript web page that pretends to be a Token Generator. The web page also appears to be from the targeted bank (same variant of the malware but with different payload)," he added.
 
To get the fake token, the user must enter the first factor of authentication used to obtain initial access to the banking account.
 
If this action is not performed, the application shows an error. When the user clicks “Generar” (Generate), the malware shows the fake token and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI).
 
The same information is also sent to one of the control servers along with further data such as the phone number of the device.
 
The malware finds the list of control servers from an XML file inside the original APK. This information, along with other parameters of the malware, are loaded and stored in another XML file inside the device.
 
Man-in-the-middle attack
 
Castillo said the first two lists are used to run the man-in-the-middle attack because they filter the incoming SMS messages to get only the ones that have mTANs.
 
If the originating address and message body are found in the “catch” list, the content is sent to the default control server.
 
The SMS can also be forwarded to the number specified in the XML if it is configured in the “catch” list with the attribute “toSms.”
 
"As soon as the initial registration is done, the malicious application creates a scheduled system event to program the execution of itself at some point in the future," Castillo said.
 
Other interesting commands that add self-update or spyware capability to the malware include:
 
  • sendContactList: Obtains the list of contacts stored in the device (name and number) and uses an open-source framework to serialize the list of contacts to send them to the control server.
  • updateUrl: Contains the URL used to download an APK file in the download folder of the SD card. The APK could be an update of the same malware or another malicious application.
 
"The Android malware that targets financial entities is in constant evolution: From man-in-the-middle attacks we now see more sophisticated, remote-controlled banking Trojans that can get more than one factor of authentication and update itself to, for example, modify a phishing attack to get other required credentials–such as the name or the ID number of the user–to perform electronic fraud," Castillo said.
 
"Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear," he added. — TJD, GMA News
Tags: google, googleandroid, malware, trojan
Most Popular
LOADING CONTENT