This malware disguises itself as a banking app to steal info from Android devices
Mobile banking customers in Brazil are once again being targeted with malware that can take over their devices, exfiltrate sensitive data and ultimately perform wire fraud.
This is according to a new report from cybersecurity researchers ThreatFabric, who recently spotted the campaign and wrote a technical analysis as a warning. As per the researchers, threat actors known as DukeEugene were sending out phishing emails, in which they tricked the recipients into downloading a dropper for Android, called Rocinante.
This dropper, usually impersonating banking apps and telecommunications firms such as Itaú Shop, Santander, Bradesco Prime, or Correios Celular, asks for permissions upon installation, including the dreaded Accessibility Service. Generally speaking, Accessibility Service permissions are reserved for system apps only, and if a commercial app asks for them, it’s usually a red flag signaling potential malware.
Abusing Accessibility Services
If the victim grants these permissions, they can expect to lose sensitive data, and give the attackers control over their mobile device, since in many cases the malware can serve fake bank login pages:
“This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks,” ThreatFabric said in its report. “Finally, it can use all this exfiltrated information to perform device takeover (DTO) of the device, by leveraging the accessibility service privileges to achieve full remote access on the infected device.”
The stolen data gets exfiltrated to a Telegram bot, the researchers further explained, where it’s served to the attackers in plaintext, ready to be used.
“The bot extracts the useful PII obtained using the bogus login pages posing as the target banks. It then publishes this information, formatted, into a chat that criminals have access to,” ThreatFabric said. “The information slightly changes based on which fake login page was used to obtain it, and includes device information such as model and telephone number, CPF number, password, or account number.”
A Google spokesperson provided TechRadar Pro with a statement on the situation: “Based on our current detection, no apps containing this malware are found on Google Play. All Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
“Android users in Brazil are also protected by the pilot of enhanced fraud protection with Google Play Protect,” the statement concluded.
Via The Hacker News
More from TechRadar Pro
link