Mobile Banking Trojan BankBot Identified, Removed From Google Play



A banking Trojan, BankBot, snuck past Google Play's protections last month to target Wells Fargo, Chase, and Citibank customers on Android devices worldwide.

An old idiom famously bills that nothing is certain, except death and taxes. More and more when it comes to mobile security, it seems as if there should be a third entry on that list: malware that can sneak past protections in Google's Play marketplace to infect Android users.

Google gave the boot to 50 apps that were armed with the mobile malware ExpensiveWall in September. The malware, downloaded between one million and 4.2 million times, charged users for sending premium SMS messages without the users’ knowledge. A month before that, in August, the company was forced to remove 500 Android apps that made it into Play after an advertising SDK called Igenix was discovered in the apps; the SDK could have let attackers install spyware on devices at will.

This week news broke that yet another strain of malware – a mobile banking Trojan dubbed BankBot – managed to infiltrate Play over the past month. Researchers with Avast and ESET published a joint report on Monday that claims apps spreading the malware first began to pop up in Play over a month ago, on October 13. While many instances were deleted, some lingered into November, others even further until just last week—November 17, according to the researchers.

Before it was finally removed, BankBot was targeting users of several high profile banks, including Wells Fargo, Chase, Citibank, and DiBa - a subsidiary of the Dutch ING banking institution, during that span. While users based in the U.S. were targeted, users in countries like Australia, Germany, Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, Dominican Republic, Singapore and the Philippines were also in attackers' sights, according to researchers.

BankBot doesn’t get to work right away; instead the malware lies in wait. That’s partially how the apps were able to persist: By making sure the malware puts off any malicious activity until two hours after the device user signs over admin rights to the app. According to Nikolaos Chrysaidos, head of mobile threat intelligence and security at Avast, the malware authors also published apps under different developer names to dissuade Google from catching on.

Once the app has been downloaded and activated it initiates a service based on a hard coded list of 160 mobile banking apps. Once launched the service tricks the victim into giving the app permissions, waits two hours, then downloads the malicious payload (BankBot APK). Ultimately, once the victim opens a banking app, the malicious app is activated and overlays the actual app in order to steal banking credentials.

If that wasn't cunning enough the malware also includes a functionality to intercept text messages, including those sent via banks to carry out two-factor authentication. The functionality allows attackers to steal that number and transfer money to their own account.

Despite Google's efforts to remedy this sort of thing from happening, stories of malware making it through Play's protections continue to regularly make headlines. 

The company introduced Google Play Protect, a feature that aims to scan previously downloaded apps in order to determine whether or not they've been updated with malicious code in May but that still hasn't stopped attackers from getting their foot in the marketplace's proverbial door. Google unveiled a public bug bounty last month designed around finding vulnerabilities in mobile apps on Play but the program doesn't extend to adware, spyware apps, or rooting malware, the exact kind of apps that have plagued the mobile marketplace.

Chris Brook

ANALYST REPORTS

Gartner 2017 Critical Capabilities for Enterprise Data Loss Prevention

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with nearly a decade of experience writing about information security, hackers, and privacy. Prior to joining Digital Guardian he helped launch Threatpost.