By: Viral Gandhi

Android Banking Trojan And SMS Stealer Floating In The Wild

Malware

 
 
We recently came across an Android Banking Trojan with a very low antivirus detection rate that is targeting Chinese mobile users. This Android malware is capable of stealing banking information by intercepting SMS messages looking for certain keywords. It also steals all the contact information from the user's mobile device and relays it to a remote Command & Control (C2) server.

Malicious Android package details
 
  • Name : 888.apk.
  • MD5 :  ff081c1400a948f2bcc4952fed2c818b.
  • VT : 7/56 (at the time of analysis)
  • Source: http://wap{.}jhgxc{.}com/888.apk
 
Functionality
 
  •  Intercept and capture all incoming and outgoing SMS messages
  •  Intercept incoming calls and the ability to end calls
  •  Receive C2 commands via SMS
  •  Sends stolen data via SMS, e-mail, and possibly web requests to the C2 server
Let's take a look at some of the above mentioned malware features and how they have been implemented:
 
Email sent SMS
 
In the screenshot above, you can see that it is e-mailing the captured outbound SMS messages using a hardcoded 163.com email address. It e-mails the stolen data to itself with the subject "Send SMS".
 
Email and SMS all sniffed data
 
 
Here you can see that it is e-mailing the captured inbound SMS messages using the same parameters that it used for outbound SMS messages. Additionally, it is also relaying the same information via SMS to a hardcoded Chinese phone number "15996581524".
 
Intercepting call
 
The above screenshot shows the ability to intercept incoming calls and send the caller's number via e-mail with subject "Intercept incoming call once the call!". It also has the ability to end the call.
 
Receives SMS as commands.
 
It's also capable of receiving C2 commands via SMS from the malware author to act further.
 
Commands to act
 
As seen in the screenshot above, the attacker can start the data capturing activity by sending the SMS command "intercept#" and can also stop the capturing activity by sending SMS command "interceptstop#".
 
Banking strings
 
In the screenshot above, you can see that there are string checks in place which are related to online banking transactions. It checks for strings like "Pay","Check","Bank","Balance","Validation"  which clearly shows the intent of the malware author to sniff banking related information.
 
Setting high priorities
 
The malware sets the SMS receiver and outgoing call services to high priority. This will ensure that the malicious application will get a higher preference for these events compared to other applications.
 
Web request for sending stolen contacts
 
We also saw some code that can allow the malware to send stolen contact information & SMS data through web requests. However, it appears to be non-functional in this version and the malware author might still be testing out this feature, as seen by the usage of the private IP address:

 "http://192.168.1.102/input/input_data_get_contact.asp?user=XXX&pwd=XXXX&addr="
 
Web request for sending stolen SMS data
 
"http://192.168.1.102/input/input_data_get_sms.asp?user=XXX&pwd=XXX&addr=XXX&id=XXX"

The following are screenshots showing a sample of stolen information that the malware author has been able to capture through these malicious APK infections till now:
 
Sent email section
E-mailed stolen SMS message
Intercepted incoming call notification
 
SMS matching online banking strings
 
Stolen contact information

 
Infected mobile users.
Intercepted online banking SMS
Intercepted online banking SMS
 
Here you can see some serious financial information sniffed by this malware illustrating the impact of such banking sniffers.
 
-Viral.

 

Learn more about Zscaler.