This banking malware came into the attention in 2019, and is capable of targeting over 30 targets as below:
- 7 U.S. banking apps
- 1 Japanese banking app
- 15 non-banking apps
- 7 French banking apps
The android malware was capable of credentials stealing and CC details as well. Some of its capabilities include –
- Architecture: Modular
- verlaying: Dynamic (Local injects obtained from C2)
- SMS harvesting: SMS listing
- SMS harvesting: SMS forwarding
- Device info collection
- Contact list collection
- Application listing
- Location collection
- Overlaying: Targets list update
- SMS: Sending
- Calls: USSD request making
- Calls: Call forwarding
- Remote actions: App installing
- Remote actions: App starting
- Remote actions: App removal
- Remote actions: Showing arbitrary web pages
- Remote actions: Screen-locking
- Notifications: Push notifications
- C2 Resilience: Auxiliary C2 list
- Self-protection: Hiding the App icon
- Self-protection: Preventing removal
- Self-protection: Emulation-detection
On July 7, there were reports that the malware infiltrated Google Playstore.
The group is now selling the entire project on one of the market of the darkweb.
But it won’t be easy, as Google playprotect has introduced additional securit features which has made this malware / project ineffective.
This means if a victim has the bot installed, Google will remove it for them.
The future of this banking malware project is dim, and it’s unlikely it would come back in its current shape.
That said, some good news for the consumer community and kudos to Google Play Security team for their recent efforts in making the ecosystem more secure.