A relatively new Android Trojan that specializes in stealing banking information by intercepting SMS messages has been making the rounds.
Researchers at zScaler spotted the as yet unnamed Trojan circulating as 888.apk. Like many types of malware that came before it, at least for the moment, the Trojan appears to be targeting Chinese Android users.
The Trojan’s forte is sniffing out messages having to do with banking and emailing those captured SMS messages to itself. In both cases the Trojan sends the information to a hardcoded Chinese email service, operated by NetEase, Inc., and a hardcoded Chinese phone number.
The Trojan’s SMS communication works both ways, as it can also receive commands from the command and control server via SMS. The attacker can simply send a message “intercept#” to start data collection and send another message, “interceptstop#” to stop it.
While going through SMS messages, the Trojan also sniffs out a series of keywords, “Pay”,”Check”,”Bank”,”Balance”,and “Validation,” as part of its gathering process.
In addition to intercepting Android users’ text messages, zScaler claims the Trojan can also either stop or interrupt users’ calls and for what it’s worth, send the caller’s number to the attacker via email. It appears there’s also a function for sending stolen information, like the device’s contacts and its SMS data via the web, but the code isn’t fully fleshed out yet.
“[The code] appears to be non-functional in this version and the malware author might still be testing out this feature, as seen by the usage of the private IP address,” Viral Gandhi, a security researcher with the firm wrote Monday.
Gandhi concludes his post with a handful of images of the Trojan in action, including SMS messages, contact databases and phone numbers it was able to steal:
Android-based banking Trojans haven’t caught on much in the U.S. but they’ve been fairly popular in other countries, particularly ones where banks have less stringent authentication measures.
Last fall Brazilian bankers were targeted by two apps that were rigged to resemble banking apps. In actuality the apps were crudely thrown together Trojans designed to phish users’ banking credentials. In 2013 another Android banking Trojan, Svpeng, was spotted by Kaspersky Lab researchers propagating through SMS spam messages and phishing Russian bankers. Like the Brazilian Trojans, Spveng was after bankers’ user names and passwords.
The Trojan that zScaler dug up bears a slight resemblance to a variant of Android malware named HeHe, dug up by FireEye last January, that also stole SMS messages and intercepted phone calls.