Mobile Banking Trojans remain one of the biggest threats to mobile banking and mobile banking customers in 2022. In this blog mobile app developers and security professionals responsible for retail banking applications, can learn how to best protect their mobile banking apps against malware and trojans installed on the devices of their mobile banking customers. Most mobile banking trojans are Android Banking Trojans.
The one thing Android Banking Trojans share in common is that they abuse the AccessibilityServices API of the Android OS. Google is painfully aware that their service, designed to help people with disabilities access their device and the apps on their device, is being abused by bad actors to commit mobile banking fraud on unassuming consumers. To this point, in November 2021, Google introduced new restrictions on the use of the AccessibilityServices API.
Shortly after this, ThreatFabric reported that 0ver 300,000 Android smartphone users downloaded what turned out to be banking trojans after falling victim to malware that bypassed detection by the Google Play app store. This fraudulent activity resulted in significant financial loss for the targeted banks. The ThreatFabric report also noted the that dropper apps used in these attacks all have a very small malicious footprint. The report concluded that this small footprint is a (direct) consequence of the AccessibilityServices API permission restrictions enforced by Google Play.
The Anatomy of an Android Banking Trojan
Android banking trojans are very different than iOS banking trojans. Yes, iOS is a closed ecosystem, but that does not mean there is no iOS malware. In June 2021, Tim Cook said that “Android has 47x more malware than iOS. Why is that? It’s because we’ve designed iOS in such a way that there’s one App Store and all of the apps are reviewed prior to going on the store. That keeps a lot of this malware stuff out of our ecosystem.” More on this in a future blog.
Most Android banking trojans follow the following script:
The malware masquerades as a legit app and is downloaded from a malicious link or from app store. Once installed on the device, the malware tries to trick the user into granting full permissions. This abuse of the Android AccessibilityServices API is common to all Android banking trojans. Once the user grants the malware these permissions, the user becomes the victim. The fraudster can now launch local, on-device attacks on the victim’s mobile banking app. The fraudster can choose from a baker’s dozen attack vectors; app overlays, SMS interception, MFA bypass, keylogging, screen recording, … Basically anything the fraudster can think off to harvest the information they need to commit fraud. All of which leads to the ultimate goal of the malware; defraud the victim by stealing money.
The Top 10 Mobile Banking Trojans Going into 2022
These are the top 10 mobile banking trojans banks should protect against going into 2022:
- TeaBot
- Oscorp
- Vultur
- BlackRock
- Medusa
- ERMAC
- SOVA
- FluBot
- Sharkbot
- Anubis (next gen)
I wrote a very detailed blog on how to protect retail banking apps against Sharkbot. Sharkbot is an example of “a new generation of mobile malware”, as it can perform ATS attacks inside the infected device. ATS (Automatic Transfer System) is an advanced attack technique which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.
Android Banking Trojan Timeline
Here’s an overview of some of the top mobile banking trojans from the last couple of years
| Banking Trojan | Description / What it is famous for | Attack Vectors Used |
|---|---|---|
| Zeus/Zitmo | Zeus is the mother of all banking trojans. Zitmo (Zeus-in-the-Mobile) came out in late 2010. All other mobile banking trojans borrow from Zitmo. | The first malicious program designed to steal mTAN (mobile Transaction Authentication Number) codes and to facilitate credential theft and enables fraud loss. |
| Gustuff | the first Android banking Trojan that heavily relied on Android’s AccessibilityService to power its RAT functionality. | Abuse AccessibilityServices API; keylogging; browser overlays and even an ATS (Automated Transaction System) on top of the RAT. |
| Anubis | Although no longer officially supported since the conviction of its author, Anubis is still a common choice of criminals when it comes to Android banking malware. | Abuse AccessibilityServices API; overlay attacks; SMS interception / Call forwarding; keylogging. |
| Hydra | Hydra has its roots as a “dropper service”. | Abuse AccessibilityServices API; overlay attacks; screencast capabilities; back-connect proxy option, remote app installation, remote screen locking and the possibility to use Google firebase as command handler. |
| Cerberus | Has taken the place of Anubis as the most “rented” banking malware. | Abuse AccessibilityServices API; exfiltration of PII; RAT feature to perform fraud; steal device screen-lock credentials; steal 2FA tokens from the Google Authenticator application; launch TeamViewer for remote control |
| Ginp | Fork of Anubis | Abuse AccessibilityServices API; SMS Stealer, Overlays, Keylogging, screen capture |
| Eventbot | Masquerades as legit Android apps | Abuse AccessibilityServices API; steal usernames, passwords and intercept two-factor authentication codes sent as text messages |
| Alien | Fork of Cerberus | Abuse AccessibilityServices API; dynamic overlays, remote viewing (TeamViewer), SMS harvesting, device info and contacts harvesting, remote control for app install, start, delete and screen locking, push notifications, prevent malware removal, and more. |
| Ghimob | Masquerades as legit Android apps and once installed targets various apps on the device to carry out fraudulent transactions | Abuse AccessibilityServices API; screen recording, remotely unlock device, overlay attacks, prevent delete/uninstall and more. |
| Anasta | Masquerades as legit Android apps | Abuse AccessibilityServices API; steal usernames and passwords, and uses accessibility logging to capture everything shown on the user’s screen, while a records all information entered into the phone |
| TeaBot | Fork of Anasta and masquerades as legit Android apps | Abuse AccessibilityServices API; live broadcast of the device screen. Intercept SMS messages, keylogging, steal Google authentication codes to steal bank details and other sensitive information. Copies behavior of FluBot and Eventbot. |
| Oscorp | Steals funds from the victims’ home banking service, by combining the usage of phishing kits and vishing calls | Abuse AccessibilityServices API; send, intercept and delete SMS messages. Overlay attacks, keylogging and WebRTC protocol abuse capabilities |
| Vultur | Gets installed via Brundilha dropper which masquerades as legit Android app. | Abuse AccessibilityServices API; Observes everything happening on the device using screen recording based on VNC to harvest PII used to perform fraud. |
| BrazKing | Uses phishing message with malicious URL asking users to update Android OS. (Brazil specific trojan) | Abuse AccessibilityServices API; uses overlay attack to direct session to malicious server to launch credential theft attack. |
| BlackRock | Makes use of Android work profiles to gain admin privileges. | Abuse AccessibilityServices API; Overlays, keylogging, SMS harvesting, device info harvesting, screen-locking, app icon hiding and prevent delete/uninstall to attack banking apps and commit fraud. |
| Medusa | Takes advantage of several social networks such as Telegram, ICQ or Twitter to store the address of the control server to which the trojan must connect. | Abuse AccessibilityServices API; steals as much data as possible from the infected device, in addition to banking credentials. The theft of text messages helps attackers to carry out fraud after the theft of credentials, while the theft of the contact list enables distribution in new campaigns through spam. |
| ERMAC | Almost fully based on Cerberus, and is being operated by BlackRock actor(s). Masquerades as Google Chrome as well as banking apps, media players, delivery services, government applications, and antivirus solutions like McAfee. | Abuse AccessibilityServices API; steal contact information, text messages, open arbitrary applications, and trigger overlay attacks to swipe login credentials. Clear the cache of a specific application and steal accounts stored on the device. |
| SOVA | The most worrying aspect of this Trojan is that it is designed to launch future Ransomware and DDoS attacks. | Abuse AccessibilityServices API; Uses keylogging, notification manipulation and session cookies theft to commit fraud. |
| FluBot | Tricks users into downloading it by claiming that their smartphone is already infected with that very same malware and that they need to download a security update. | Abuse AccessibilityServices API; steals passwords; bank details and other sensitive information from infected smartphones. FluBot also exploits permissions on the device to spread itself to other victims, allowing the infection chain to continue. |
| Drinik | SMS Phishing malware masquerading as an Income Tax Refund and ask victims to install malicious app. The fake app then asks the user to input all their personal info. When the user clicks “Transfer”, the application shows an error and demonstrates a fake update screen. In the mean time, fraudster generates and renders a bank specific mobile banking screen. The user is then requested to enter the mobile banking credentials which are harvested by the attacker. (India specific malware) | Abuse AccessibilityServices API; dynamic overlays |
| PixStealer | Masquerades as a fake cashback service to target the customers of one specific Brazilian bank. This is a very small app with only one function; transfer all the victim’s funds to account of the bad actor. (Brazil specific malware) | Abuse AccessibilityServices API; PixStealer uses a “less is more” technique: as a very small app with minimum permissions and no connection to a C&C, it has only one function: transfer all of the victim’s funds to an actor-controlled account. |
| MalRhino | The big brother of PixStealer. Masquerades as a fake iToken app and was distributed via Google Play. Harvest device info and uses this to launch attacks on specific Brazilian banking apps. (Brazil specific malware) | Abuse AccessibilityServices API; Collect the installed application and send the list to the C&C server together with the victim’s device info Run banks applications Retrieve pin from the Nubank application |
| Sharkbot | SharkBot hides itself with common names and icons posing as a legitimate application, such as Live TV and MediaPlayer apps | Abuse AccessibilityServices API; Overlay Attacks; steal login credentials and credit card information; intercept/hide SMS messages; keylogging; full remote control of an Android device |
| Anubis (Next Gen) | A modified version of Anubis. Targeting customers of almost 400 financial institutions, cryptocurrency wallets, and virtual payment platforms. It is distributed through a novel way – by stealing the identity of a telecommunication service providers and presenting itself as its “official” account management application. | Abuse AccessibilityServices API; collects valuable finance-related data such as SMS messages from the victim, log keys, exfiltrate files, monitor the screen, harvest GPS data, and take advantage of other accessibility services enabled on the device. |
I will update this list as more banking trojans appear in 2022. Fraudsters are using automated models to attack mobile banking apps and defraud their victims. The only way financial services organizations, banks and fintechs can protect against known and unknown RATs is to deploy a comprehensive security solution like Appdome.
Recommended Security Model to Protect Mobile Banking Apps Against All Mobile Banking Trojans
As most security professionals will say, there is no silver bullet in security. The only good security model is a layered security model. As such, my recommended solution to protect banking apps against all mobile banking trojans is a layered defense. First, the app should be protect against all static code analysis attempts so that the fraudster cannot learn the app logic. Next the app should be protected against dynamic code analysis attempts. To do so effectively, the app should have a layered run-time defense starting with self-defending app shielding to protect the app against debugging, tampering and reverse-engineering attempts. Next, developers should protect all the data stored in the sandbox as well as throughout the code of the app with AES-256 encryption. The developers should prevent the app from running on devices with a compromised OS; typically jailbroken or rooted devices. And the final step to prevent hackers and fraudsters from learning how the app functions is to ensure a secure communication between the app and the mobile back end and protect against network-based attacks such as Man-in-the-Middle attacks.
Once you prevent a hacker from using static and dynamic analysis against the app, the developer should prevent fraudsters from using malware to defraud the victims (users of the mobile banking app). Again, a good defense is a layered defense. To start, the banking app should be able to detect any application on the device that has too many accessibility services permissions. This abuse of the AccessisibiltyServices API is common with all Trojans and RATs. In addition, the app should stop the use of custom keyboards that may include keylogger software used to exfiltrate keystroke information and detect and prevent screen overlays attacks from displaying a fake screen on top of the app screen.
Finally fraudsters regularly abuse powerful developer tools to attack mobile banking apps. Mobile app developers should detect and block the use of Android Debug Bridge, Magisk Manager and Frida.
Request a demo of Appdome today learn how to protect your mobile banking apps against all mobile banking trojans.
