Cyble Research - MasterFred Android Malware

MasterFred Banking Trojan Targets Users via Phishing Pages

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

During our routine threat-hunting exercise, Cyble Research Labs came across a Twitter post by a malware researcher regarding a new variant of Android Banking Trojan. This newly identified banking trojan has been named “MasterFred” by malware researchers. 

Our investigation revealed that MasterFred shares similar traits to malware variants such as Aberebot and Cerberus. This malware includes fake Twitter and Netflix login overlays as well as overlays for Polish and Turkish banks. This indicates that MasterFred might be targeting people in and near Poland and Turkey. 

MasterFred abuses the Android Accessibility service to collect sensitive information such as credit card information from over 10 fake bank pages or compromise more than 8 social networking accounts such as Netflix, Twitter, etc. by using false login pages. The HTML overlays for common apps as well as the fake bank login overlays in multiple languages are saved in the assets folder within the application. 

The program uses overlays to communicate the obtained sensitive information back to the malware creator through Onion URL. This is likely done to evade any detection of the Command and Control (C2) servers’ presence. 

Technical Analysis  

The malware is a variant of an Android banking trojan, as we were able to determine during our comprehensive study. The malicious app uses encrypted strings and patterns to transmit the acquired sensitive information to the Onion[.]ws (Tor2Web) URL. 

APK Metadata Information: 

  • App Name: Mlab  
  • Package Name: mlab.sert.fr 
  • SHA256 Hash: ce0f20f0c1283fd0e29a5b6a4bd2a44c6a1968b0e7553386bf1e7c88ffce5427 
Figure 1 Analysed Malware Sample Information 

Manifest Data 

The malicious app requests a relatively limited set of permissions. Table 1 shows the list of permissions requested by the app. 

Permissions Description 
INTERNET   Allows applications to open network sockets  
READ_PHONE_STATE   Read-only access to phone state  
SYSTEM_ALERT_WINDOW Allows an application to show system alerts over other apps 
ACCESS_WIFI_STATE Allows an application to view the information about the status of Wi-Fi. 
ACCESS_NETWORK_STATE Allows an application to view the status of all networks. 

Table 1 Permissions used by the Malicious App 

On analyzing the app’s manifest file, data such as the app’s entry point, along with receivers and services were identified. Refer to Figure 2. 

Figure 2 Activities and Service Information from Manifest File 

com.lovelydast.dating.MainActivity” is the main entry point of the app that loads initially. Typically post-installation, the application prompts the user to grant the Accessibility permission on the infected device. However, in this case the application will only prompt the user if it can determine that user is from Poland or Turkey.  

The application also uses BIND ACCESSIBILITY SERVICE and other services. Accessibility services are primarily used to assist differently-abled Android users.  

These services operate in the background and detect when the system launches AccessibilityEvents. Actions such as switching focus or clicking a button signify a change in the user interface’s state.  

Such a service is typically used to request the ability to query the content of the active window. On the other hand, the malicious app exploits this permission to monitor and retrieve data from the infected device. Figure 2 shows the Accessibility Service used by the app. 

By analyzing the launcher activity of the application that opens when clicking the app icon, we were able to identify that the application loads a URL through WebView, as shown in Figure 3. 

Figure 3 Loads a URL through WebView 

The app’s icon looks like the Google logo, as illustrated in Figure 1. However, upon launching it, the URL loaded using WebView seems to be a dating website called “Mingle2 Online Dating“. Users are requested to fill a sign-up form or redirected to a sign-in page. 

The user details required to be filled in upon navigating to the sign-up page are gender, birthday, country, and email. The next page requests additional details such as city, display name, and password to create an account on the dating site.  

The application uses the class “pfuzva.qnrdkp.fwnppu.MyAccessability” to monitor the device’s screen actions after users enable the “BIND ACCESSIBILITY SERVICE.” In all the functions, the class has a significant number of encrypted strings defined. 

We determined the Threat Actor’s (TA) encryption method by backtracing the detected encrypted strings. The attacker employed RC4 encryption in combination with base64

Figure 4 Encrypted Strings and Technique used in the App 

Using the identified encryption technique, we have decrypted all the obfuscated encrypted strings. 

In general, attackers abusing the application Accessibility service use the overlay attack to collect information. This informatation ranges from credit card details, financial transactions, account credentials from fake versions of popular sites like Netflix, Twitter, etc. 

This behavior was observed in the MyAccessibility class that loads the overlay HTML page from the assets folder. The HTML page from the folder is called through the MD5 hash value of the target apps’ package name.  

Figure 5 Overlay HTML pages with MD5 Hash values 

Figure 6 depicts the code defined under onAccessibilityEvent() that loads the HTML overlay pages concerning package names converted to MD5 hash. 

Figure 6 Code that loads the Overlay HTML pages with references to MD5 Hash Package value 

Some of the identified target apps’ package name lists from the application’s  assets folder are: 

Fake Social Networking Accounts

Package  Hash Value Description 
com.twitter.android 0b2fce7a16bf2b728d6ffa28c8d60efb Twitter app  
com.viber.voip 7ce04c763914e01b61700c480fb34db2 Viber app  
com.netflix.mediaclient 1416f938ee57ce661c832da32616b710 Netflix app 
com.imo.android.imoim 57345fd3e6be85d2a1381336ce895dea imo video calls and chat 
com.snapchat.android a63b0f8076346d26cbdc1b971a1da2a7 Snapchat app 
com.skype.raider b1f7bbf91b565db9420d418963bac8aa Skype app 
play.google.com b5a5c5cb02ca09c784c5d88160e2ec24 Google Play 

 Fake Bank Login

pl.bzwbk.bzwbk24 50880dff23ad00092d76765322e72df8 Santander mobile 
pl.aliorbank.aib 8506306b79e84894458869d8846052aa Alior Mobile 
com.finanteq.finance.bgz a307cb31fbcbf314b81c4109bb897fd3 BNP Paribas GOMobile 
NA bd4beae438b45268ae64852d5dc4c0bd T-Mobile Usługi Bankowe (App or package no longer available) 
wit.android.bcpBankingApp.millenniumPL bd72c14440292350c9231a4bfb5266df Bank Millennium 
pl.ppuc.envelo c282270ec3e1b7614e686d4df833c9dd Envelo Mobile app 
pl.bps.bankowoscmobilna d514cc1c1df888035d0c7fd6a4fe77b0 BPS Mobilnie 
softax.pekao.powerpay fa26b212d22d637c030a270eeba0f202 PeoPay 
com.konylabs.cbplpat 1af080090b83bcceb053701669731479 Citi handlowy (Poland Citibank mobile app) 
pl.ing.mojeing 9c8dbfa34ef070628f0d21ca70374926 ING Bank Mobile app  
com.ziraat.ziraatmobil 9cd9fe269eb8dbb1f91f2b12458394c0 Ziraat Mobile app 
com.getingroup.mobilebanking 9e0f3585d729d39148c39f92099b49a5 Getin Mobile app 
eu.newfrontier.iBanking.mobile.RZBAL 69e41499b10d1938267531e745b73090 RAIFFEISEN Bank International 
pl.pkobp.iko 397aeab5db5b8d9d45214f256f7e4184 PKO Bank Polski 
pl.mbank 474a19bea46cc8243274ed348a3738f0 mBank PL 

Figure 7 illustrates the code to create an overlay over other apps abusing WindowManager API and System_alert_window permission defined in “pfuzva.qnrdkp.fwnppu.OverlayService“.  

The overlay HTML pages from the assets folder are called by checking the above-identified hash package names. The corresponding pages are loaded based on the commands received from the attacker. 

Figure 7 Overlay Service and loads the HTML pages from respective folders 

In the application’s assets folder, there is an iapk folder, as shown in Figure 5. This contains 4 separate hash package names that load only when the attacker provides an inject command via the C2 server. The activities that the application can perform without user intervention are: 

  • Taking complete control of the infected device and restricting users from modifying the application settings 
  • Enabling the required permissions and services  
  • Hiding the security alerts from the OS platform 
  • Altering the required settings from the backend by identifying the device manufacturer 
  • Downloading and installing apps from Google Play Store or 3rd party sources based on the attacker’s commands. 

Figure 8 shows the code that sends the collected information (such as bank details or social network account details) to the attacker’s C2 server. 

Figure 8 Collected information from phishing pages 

The collected information from Figure 8 is sent to the attacker’s C2 server as shown below. 

Figure 9 Identified C2 server that sends the collected information 

The application also reads all incoming notifications and sends this information to the attacker’s C2 server as shown in Figure 8.  

The attacker splits the incoming notifications into 2 objects: 

  • Sending all the incoming notifications 
  • Splitting SMSs into separate objects that are later sent to same C2 server. 
Figure 10 Reads all the incoming notifications and splits text messages in a separate object 

Identified C2 server: 

qjvpp2shgqyhcfdvtcpe3w4c4ngigwbcufdtmqokb[Redacted]qd[.]onion.ws 

Conclusion

As per our observations, TAs are employing increasingly innovative malware tactics to avoid detection. Online Banking is becoming more complex every day, as TAs are being amplifying the risks involved by using advanced methods.  

Masterfred makes use of the SYSTEM ALERT WINDOW permission, which is a potential risk in an Android environment. Only apps authorized by Google’s partners are allowed to utilize this permission on the Google Play Store.  

The malware was not identified in the Google Play Store, implying that it is distributed via other vectors. The virus must also be installed using Android’s Sideloading function. 

As a result, users must exercise cyber-hygiene across all their devices and online banking apps. 

Recommendations 

We have listed some essential cybersecurity best practices that create the first line of defense against attackers. Here are the recommended best practices:    

  • Download and install software only from official app portals such as Google Play Store. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions on any devices. 
  • If you find any suspicious applications on the device, uninstall, or delete them immediately.  
  • Keep your anti-virus software updated to detect and remove malicious software.  
  • Use the shared IoCs to monitor and block the malware infection. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Défense Evasion T1406 Obfuscated Files or Information 
Discovery T1421 System Network Connections Discovery 
Discovery/Collection T1430 Location Tracking 
Discovery T1426 System Information Discovery 
Collection T1507 Network Information Discovery 
Command and Control T1571 Non-Standard Port 
Command and Control T1090 Proxy 
Impact T1472 Generate Fraudulent Advertising Revenue 

Indicators of Compromise (IoCs)

Indicators Indicator Type Description 
ce0f20f0c1283fd0e29a5b6a4bd2a44c6a1968b0e7553386bf1e7c88ffce5427 SHA256 Hash of the Analysed APK Sample  
7660c207aff4f7855a5f9667d7dbc05d9bc9c57107712337e139e188cecfebb1  SHA256 Hash of the Similar APK Sample 
1284d9e44fa5ac5b645c26c5e941cc392d77ab24ebfa91948688ce769ff71667 SHA256 Hash of the Similar APK Sample 
hxxps://qjvpp2shgqyhcfdvtcpe3w4c4ngigwbcufdtmqokbbs23wymgervjtqd[.onion.ws/v1/api/knock/qviqer/c1178a URL TOR Onion URL 
hxxps://qjvpp2shgqyhcfdvtcpe3w4c4ngigwbcufdtmqokbbs23wymgervjtqd[.]onion.ws/v1/api/knock/qviqer/c1178a083c3740d488c393f7d47db29f/mlab.sert.fr/Samsung%20Galaxy%20Nexus/android/i686/en/ab?name=MlabURL TOR Onion URL 

Scroll to Top