Asacub, once thought of as spyware, appears to have completed its transition into mobile banking malware, according to research published this week.
When the Android malware surfaced in June 2015, researchers with Kaspersky Lab assumed it was spyware. It more or less fit the part; Asacub siphoned incoming SMS messages, browser history, and contacts — and uploaded them to a malicious looking server.
Researchers with the Russian firm acknowledged this week however that they came across upon a newer, more souped-up version in September 2015 and that the malware’s functionality has changed. Asacub now appears to a full-fledged banking Trojan.
Roman Unuchek, a senior malware analyst with Kaspersky Lab’s Global Research and Analysis Team discussed the malware, which its calling Trojan-Banker.AndroidOS.Asacub, Wednesday in a blog post on Securelist. While newer versions of the malware can still upload SMS messages, it can also intercept messages, turn the phone off, mute the phone, and turn off its screen, among other actions, he said.
One of the most interesting commands Unuchek claims is “rev_shell,” a remote command line that lets the attacker execute commands, and see their output, something that he said is unique for banking malware.
“This functionality is typical of backdoors and very rarely found in banking malware,” Unuchek wrote, “The latter aims to steal money from the victim’s bank account, not control the device.”
Perhaps more telling, the samples of Asacub that came to light in September also included phishing screens and the logos of several European banks.
Still, Asacub remains in flux. According to Unuchek the most recent iteration of the malware is replete with new capabilities, including a command which can forward the device’s GPS location to the attacker and a command that can take photos with the the device’s camera.
While the phishing screens are absent from the latest modification, it still mentions banks in the code, and “frequently gets commands to work with the mobile banking service of a major Russian bank,” Unucheck writes.
The developers behind malware really kicked it into high gear during New Year’s week. From Dec. 28 to Jan. 4, Kaspersky Lab noted attempts to infect upwards of 7,000 users, but claims activity has declined since.
It remains to be seen if users in the United States are a viable target for Asacub, but Unuchek points out that the logo of an unnamed U.S. bank did appear in early builds of the Trojan, suggesting the threat is developing quickly.