Two new applications that managed to slip into Google Play despite being infected with the BankBot Trojan have been observed targeting the legitimate apps of Polish banks, ESET warns.
The malware hid inside the seemingly legitimate Crypto Monitor, an app for tracking cryptocurrency prices, and StorySaver, a utility that helps users download stories from Instagram. Both applications provide their users with the promised functionality, but also serve a nefarious purpose.
On the victim’s device, the apps can display fake notifications and login forms that have been designed to look as if they come from legitimate banking applications, which allows them to harvest the credentials victims enter into the fake forms.
They can also intercept text messages, thus being able to bypass SMS-based 2-factor authentication.
The BankBot banking Trojan was first observed about a year ago, when its source code leaked online alongside instructions on how to use it. It took over a month for the first malware based on that code to emerge, but numerous BankBot variations have been observed since, some in Google Play.
In a report published in early November, RiskIQ revealed that the malware managed to slip into the official Android application store disguised as Cryptocurrencies Market Prices, an application for users looking for timely information for people who engage in cryptocurrency marketplaces.
Only a couple of weeks after that report, the Crypto Monitor malicious app was uploaded to Google Play, under the developer name walltestudio. Four days later, on November 29, StorySaver was published to the marketplace, under the developer name kirillsamsonov45, ESET says.
The applications had between 1000 and 5000 downloads when ESET reported their malicious behavior to Google on December 4. Both of them have been removed from the application store.
After being launched on the infected device, the malicious apps retrieve information on the installed programs and compare these against a list of targeted banking software.
According to ESET, the malware targets the official apps of fourteen Polish banks, namely Alior Mobile, BZWBK24 mobile, Getin Mobile, IKO, Moje ING mobile, Bank Millennium, mBank PL, BusinessPro, Nest Bank, Bank Pekao, PekaoBiznes24, plusbank24, Mobile Bank, and Citi Handlowy.
The malware can display fake login forms imitating those of the targeted apps and can do so either without any action from the user, or after the user clicks on a fake notification.
ESET claims that most of the infections (96%) were detected in Poland, but that a small set of users in Austria were infected as well (the remaining 4% of detections). The local social engineering campaigns propagating the malicious apps contributed to this.
“The good news is that this particular banking malware doesn’t use any advanced tricks to ensure its persistence on affected devices. Therefore, if you’ve installed any of the above described malicious apps, you can remove them by going to Settings > (General) > Application manager/Apps, searching for either “StorySaver” or “Crypto Monitor” and uninstalling them,” ESET says.
Mobile banking users who installed one of the malicious applications are advised to check their bank account for any suspicious activity. They should also consider changing PIN codes, the researchers say.
Source: infosec island