- Table of contents
The author
Improving assessment policies and processes on safety and security in organizations is essential in outlining potential breaches and dangers to workers and properties. As an individual with a unique skill set, I have helped to identify security measures and appropriate solutions to mitigate various security risks.
Table of contents
Related Articles
New Mobile Banking Malware Impersonating Messaging Apps
Following our research regarding the abuse of Malvertising using Malicious Ads, Cyberint has uncovered a new strain of mobile banking malware. This malware is being distributed on third-party APK sites and is disguised as advertisements for popular messaging applications like KIK and Viber. Our Cyberint team has conducted an analysis of the malware’s source code.
Based on our findings, it appears that the campaign is primarily targeting Asia. We have discovered artifacts within the source code that indicate the attack is specifically intended for certain Asian countries. Additionally, the written language observed on the analyzed artifacts suggests that the criminals behind these activities may be of Chinese origin.
According to data research from Search Logistics, KIK has a global average of 15 million monthly active users. Viber has experienced a significant user increase of over 400% in the Asia-Pacific region in 2020, and this growth isn’t slowing. Considering the surge in popularity and usage of these messaging platforms, the ongoing malware campaign presents a substantial risk to users throughout the region.
This report aims to provide an overview of the malware’s behavior and capabilities once it is installed and given permissions. Additionally, it will offer a detailed understanding of the malware’s code-level operations, including how it gains access to banking information and transfers it to its command and control (C&C) server. Interestingly, Cyberint has managed to gain access to the dashboard utilized by the threat actors responsible for this malware, where they store the stolen and harvested information.
Moreover, this report will offer recommendations and best practices to safeguard against these types of mobile banking malware. By following these guidelines, users can better protect themselves from potential threats and mitigate the risks associated with such malicious campaigns.
Technical Analysis of the KIK/Viber Malware
Cyberint observed two websites being used by the threat actors to distribute their malware. Interestingly, these two distinct websites distribute either KIK or Viber through their malicious platforms.
Currently, there are three unique APK files available for download on the website. As of now, Cyberint has only observed KIK being impersonated. However, Cyberint has managed to gather additional samples for Viber impersonations.
After successful download and installation, the APK (File Hash:cc140ab32d0fd1aa8c7da8fcd38cc1cb2b254955b0d8fab0c4d0f338eb0f514a) will ask for unusual permissions which provide the mobile malware with its full malicious capabilities.
As seen on the screenshot above, the malware prompts the user to grant it “Auto Granting Permissions” through the Accessibility Service. Once the necessary permissions are enabled, the malware gains the ability to monitor and collect events related to a specific mobile banking application. According to the malware’s source code, it specifically checks the file path “com.xxx:id/accBalance,” which contains the targeted mobile banking app’s account balance information.
According to the current source code of the malware, it is currently targeting mobile banking applications such as TPBank, VietInBank iPay, and MB Bank. Once the data is successfully collected, the malware proceeds to write the stolen information into a text file named “applog.txt” and transfers it to its command and control (C&C) server.
Additionally, the malware can capture the victim’s device password. As seen in the source code above, it harvests both the device’s “Input and “Non-Input” passwords.
Interestingly, as observed in the above lines of code, there are instances where the characters are written in Chinese. This observation leads us to assume that the threat actors behind these activities are Chinese-speaking individuals or a group. Furthermore, specific Chinese characters are also present in the function responsible for communication with the malware’s command and control (C&C) server.
Based on the overall analysis on the malware’s source code, the application is capable of the following behavior:
1. Fetch Mobile Banking Application Account Balance
2. Capture Device Password
3. Send and Receive Data from its C&C Server
4. Retrieve SMS Data
5. Collect Contact Details
6. Screen Capture and Record
7. Capture Pictures/Images
8. List the current Installed Applications
The Cyberint team was also able to access the Threat Group’s Dashboard where they post stolen information from their victims.
The screenshot above was originally written in Chinese. However, based on our observation, the rows in the screenshot categorize the following stolen information:
- Machine Code
- Status (if online or offline)
- Mobile Device’s Brand
- Time zone and Language
- Last Click
- Infection Timestamp
- Infection Status
- Current Active Operation
- Threat Actor’s Remark
- Amount of Current Available Balance (from the stolen mobile account balance information)
- Enable the lock screen
- Enable Accessibility
The dashboard can also be sorted based on the victim’s phone number, battery, card type, network carrier, and signal status.
A Need for Improved Defenses
The discovery of this mobile malware impersonating popular messaging applications poses a significant threat to Mobile Android Banking users, particularly in Asia. Its infostealer capabilities and targeted focus highlight the need for heightened cybersecurity measures, user education, and proactive defense strategies. Organizations and individuals can strengthen their defenses against this evolving mobile malware threat by implementing the recommended actions outlined above.
Recommendations to Protect From This Mobile Malware
- Promote awareness among mobile device users about the risks associated with downloading applications from unofficial sources and clicking on suspicious links or attachments.
- Encourage users to download applications exclusively from trusted app stores, such as the
Google Play Store and the Apple App Store, with robust security measures in place. - Encourage users to install reputable mobile security applications that provide real-time threat detection and protection against malware and phishing attempts.
- Emphasize the importance of keeping devices and applications up to date, as software updates often include security patches that address vulnerabilities exploited by malware.
- Develop and implement an incident response plan to swiftly address and mitigate potential malware infections, including prompt user notifications and data breach remediation.
Cyberint Malware Protection
Cyberint provides continuous monitoring of forums, marketplaces, and code repositories to identify and intercept different types of malware shared and sold by cybercriminals. It assists customers in defending against these malicious tools and ensures timely takedowns.
