Modern banking Trojans for Android are created by virus writers and a lot of money are sold as commercial products using clandestine Internet sites. However, recently on one of the hacker forums in free access were the original code of one of these malicious programs along with instructions for its use. Virus analysts “Doctor Web” I believe that this can lead to a significant increase in the number of Android banking Trojans and the growth of the number of perpetrated with their help, attacks.
the virus Writers released the source code of a new malware application a month ago, but the specialists of “Doctor Web” has discovered Android malware that is created based on the websites information. Android.BankBot.149.origin is disguised as harmless programs and once installed and run on a smartphone or a tablet is requesting access to the administrative features of the mobile device in order to complicate their removal. Then he hides from the user, removing its icon from the home screen.
Next, Android.BankBot.149.origin is connected to the control server and waits for its commands. The malware can send and intercept SMS, to request administrator privileges, to execute USSD requests to the phone book list the numbers of all existing contacts, send SMS with the command text for all the numbers from the phone book, track device location via GPS satellites, to obtain a configuration file with a list of targeted banking applications and phishing show the window.
Android.BankBot.149.origin steals users ‘ confidential information by tracking running applications “client-Bank” and to work with payment systems. The investigated sample is overseeing the launch of more than three dozen such programs. Once Android.BankBot.149.origin discovers that one of them started, it loads with the command and control server corresponding to phishing in the form of a login and password to access the account of the Bank and shows it on top of the attacked application. The Trojan also attempts to steal information about the credit card of the owner of the infected mobile device. This bunker tracks run popular apps like Facebook, Viber, Youtube, Messenger, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter and the Play store, and shows them on top of the phishing settings window of the payment service of Google Play.
When receiving an SMS, the Trojan disables all audible and vibrating alerts, sends the contents of the messages to attackers and tries to delete intercepted messages from the Inbox. As a result, the user can not only receive notifications from credit institutions with information about unscheduled money, but you will not see other messages that come in to his room.
All the stolen Android.BankBot.149.origin data is loaded onto the server and accessible in the administration panel. With its help, cyber criminals not only get information but also run a malicious application.