UPDATE: A previous version of this story incorrectly stated that the malware disables any antivirus application. In reality, the malware only uninstalls a particular antivirus application,“com.ahnlab.v3mobileplus,” that is often bundled with certain banking applications.
A new remote access tool has emerged for the Android platform, combining three of the most popular utilities performed by malware on Google’s mobile operating system: data leakage, banking credential theft, and – of course – remote access.
The malware presents itself as a “Google Service Framework” and disables a particular antivirus application on an infected device before moving on to its primary tasks. In addition to the features mentioned above, the security firm FireEye notes that its developers are in the process of building a framework for bank account hijacking.
Thus far, FireEye researchers Jinjian Zhai and Jimmy Su explain that the bank account hijacking framework has the capacity to target eight Korean banks, but they could increase that number easily. Similarly, Zhai and Su write that FireEye believes – based primarily on the tool’s user interface – that the criminals that developed the tool are based in Korea and targeting users in Korea as well.
Kaspersky Lab senior malware analyst Roman Unuchek told Threatpost in an interview that this piece of malware, which is detected as Trojan-Banker.AndroidOS.Wroba.m, is one of the primary threats faced by Korean online bank users. According to Unuchek, Kaspersky Lab detected early versions of Wroba in June of last year and began detecting the latest iteration in June of this year.
Infected devices would have an application with the default Android icon, titled ‘Google Services,” on the device home-screen. In order to remove the application, Zhai and Su say that users would need to go into their settings and revoke the application’s administrative privileges.
In their analysis of the tool, FireEye found that after installing the malicious application, the “Google Services” icon appeared on the home-screen. When and if a user clicks on the app, it immediately requests administrative privileges. If the user grants permission, the app disables the user’s ability to uninstall and initiates a new running app called “GS.”
Meanwhile, on the home-screen, if the user attempts to open the “Google Services” app, a notification pops up claiming that the app did not install, then the icon disappears. Within minutes, the researchers claim the application establishes a connection with its command and control (C&C) server.
The C&C IP address appears to be located in Hong Kong, though the researchers have no way of knowing if that is a static server or merely the IP of one of the victim machines controlled by the RAT, which would perhaps suggest a peer-to-peer structure.
Once in touch with the C&C, the researchers claim the malware retrieves the following modules that will perform malicious tasks: UploadDetail, UploadSMS, SendSMS, BankHijack, PopWindow, and Update.
That first task, UploadDetail, gathers private information from the infected device, including phone numbers, device IDs, and contact lists. At the same time, the tool is also looking to see if there are any recognized banking applications on the infected device.
While analyzing a packet capture, the researchers noted that the value titled “banklist” comes back empty when there are no banking applications installed on the device. However, after they installed the eight recognized banking application, the “banklist” value returned with shorthand markers for each of the banks:
Once aware of the presence of these banking apps, the “PopWindow” task initiates. The C&C uses this module to kill “com.ahnlab.v3mobileplus,” which is a popular anti-virus application available on Google Play. Once this is done, the “PopWindow” module displays a window notifying users that there is a new version of their banking app available. If the user takes the bait, the C&C will install a malicious version of the banking app while uninstalling the original version.
The “Update” module updates the malware. The “Upload SMS” feature gives the C&C control of the phone’s SMS functionalists.
The “BankHijack” feature, the researchers say, is unfinished. It appears that it takes note of the recognized banks, then continually tries to apply an update. FireEye seems to believe that the app’s developer is having trouble finishing this function.
“Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps,” Zhai and Su reason, “a more robust mobile banking threat could be on the horizon.”