During our routine threat-hunting exercise, Cyble Research Labs came across a Twitter post by a malware researcher regarding a new variant of Android Banking Trojan. This newly identified banking trojan has been named “MasterFred” by malware researchers.
Our investigation revealed that MasterFred shares similar traits to malware variants such as Aberebot and Cerberus. This malware includes fake Twitter and Netflix login overlays as well as overlays for Polish and Turkish banks. This indicates that MasterFred might be targeting people in and near Poland and Turkey.
MasterFred abuses the Android Accessibility service to collect sensitive information such as credit card information from over 10 fake bank pages or compromise more than 8 social networking accounts such as Netflix, Twitter, etc. by using false login pages. The HTML overlays for common apps as well as the fake bank login overlays in multiple languages are saved in the assets folder within the application.
The program uses overlays to communicate the obtained sensitive information back to the malware creator through Onion URL. This is likely done to evade any detection of the Command and Control (C2) servers’ presence.
The malware is a variant of an Android banking trojan, as we were able to determine during our comprehensive study. The malicious app uses encrypted strings and patterns to transmit the acquired sensitive information to the Onion[.]ws (Tor2Web) URL.
APK Metadata Information:
- App Name: Mlab
- Package Name: mlab.sert.fr
- SHA256 Hash: ce0f20f0c1283fd0e29a5b6a4bd2a44c6a1968b0e7553386bf1e7c88ffce5427
The malicious app requests a relatively limited set of permissions. Table 1 shows the list of permissions requested by the app.
|INTERNET||Allows applications to open network sockets|
|READ_PHONE_STATE||Read-only access to phone state|
|SYSTEM_ALERT_WINDOW||Allows an application to show system alerts over other apps|
|ACCESS_WIFI_STATE||Allows an application to view the information about the status of Wi-Fi.|
|ACCESS_NETWORK_STATE||Allows an application to view the status of all networks.|
Table 1 Permissions used by the Malicious App
On analyzing the app’s manifest file, data such as the app’s entry point, along with receivers and services were identified. Refer to Figure 2.
“com.lovelydast.dating.MainActivity” is the main entry point of the app that loads initially. Typically post-installation, the application prompts the user to grant the Accessibility permission on the infected device. However, in this case the application will only prompt the user if it can determine that user is from Poland or Turkey.
The application also uses BIND ACCESSIBILITY SERVICE and other services. Accessibility services are primarily used to assist differently-abled Android users.
These services operate in the background and detect when the system launches AccessibilityEvents. Actions such as switching focus or clicking a button signify a change in the user interface’s state.
Such a service is typically used to request the ability to query the content of the active window. On the other hand, the malicious app exploits this permission to monitor and retrieve data from the infected device. Figure 2 shows the Accessibility Service used by the app.
By analyzing the launcher activity of the application that opens when clicking the app icon, we were able to identify that the application loads a URL through WebView, as shown in Figure 3.
The app’s icon looks like the Google logo, as illustrated in Figure 1. However, upon launching it, the URL loaded using WebView seems to be a dating website called “Mingle2 Online Dating“. Users are requested to fill a sign-up form or redirected to a sign-in page.
The user details required to be filled in upon navigating to the sign-up page are gender, birthday, country, and email. The next page requests additional details such as city, display name, and password to create an account on the dating site.
The application uses the class “pfuzva.qnrdkp.fwnppu.MyAccessability” to monitor the device’s screen actions after users enable the “BIND ACCESSIBILITY SERVICE.” In all the functions, the class has a significant number of encrypted strings defined.
We determined the Threat Actor’s (TA) encryption method by backtracing the detected encrypted strings. The attacker employed RC4 encryption in combination with base64.
Using the identified encryption technique, we have decrypted all the obfuscated encrypted strings.
In general, attackers abusing the application Accessibility service use the overlay attack to collect information. This informatation ranges from credit card details, financial transactions, account credentials from fake versions of popular sites like Netflix, Twitter, etc.
This behavior was observed in the MyAccessibility class that loads the overlay HTML page from the assets folder. The HTML page from the folder is called through the MD5 hash value of the target apps’ package name.
Figure 6 depicts the code defined under onAccessibilityEvent() that loads the HTML overlay pages concerning package names converted to MD5 hash.
Some of the identified target apps’ package name lists from the application’s assets folder are:
Fake Social Networking Accounts
|com.imo.android.imoim||57345fd3e6be85d2a1381336ce895dea||imo video calls and chat|
Fake Bank Login
|com.finanteq.finance.bgz||a307cb31fbcbf314b81c4109bb897fd3||BNP Paribas GOMobile|
|NA||bd4beae438b45268ae64852d5dc4c0bd||T-Mobile Usługi Bankowe (App or package no longer available)|
|pl.ppuc.envelo||c282270ec3e1b7614e686d4df833c9dd||Envelo Mobile app|
|com.konylabs.cbplpat||1af080090b83bcceb053701669731479||Citi handlowy (Poland Citibank mobile app)|
|pl.ing.mojeing||9c8dbfa34ef070628f0d21ca70374926||ING Bank Mobile app|
|com.ziraat.ziraatmobil||9cd9fe269eb8dbb1f91f2b12458394c0||Ziraat Mobile app|
|com.getingroup.mobilebanking||9e0f3585d729d39148c39f92099b49a5||Getin Mobile app|
|eu.newfrontier.iBanking.mobile.RZBAL||69e41499b10d1938267531e745b73090||RAIFFEISEN Bank International|
|pl.pkobp.iko||397aeab5db5b8d9d45214f256f7e4184||PKO Bank Polski|
Figure 7 illustrates the code to create an overlay over other apps abusing WindowManager API and System_alert_window permission defined in “pfuzva.qnrdkp.fwnppu.OverlayService“.
The overlay HTML pages from the assets folder are called by checking the above-identified hash package names. The corresponding pages are loaded based on the commands received from the attacker.
In the application’s assets folder, there is an iapk folder, as shown in Figure 5. This contains 4 separate hash package names that load only when the attacker provides an inject command via the C2 server. The activities that the application can perform without user intervention are:
- Taking complete control of the infected device and restricting users from modifying the application settings
- Enabling the required permissions and services
- Hiding the security alerts from the OS platform
- Altering the required settings from the backend by identifying the device manufacturer
- Downloading and installing apps from Google Play Store or 3rd party sources based on the attacker’s commands.
Figure 8 shows the code that sends the collected information (such as bank details or social network account details) to the attacker’s C2 server.
The collected information from Figure 8 is sent to the attacker’s C2 server as shown below.
The application also reads all incoming notifications and sends this information to the attacker’s C2 server as shown in Figure 8.
The attacker splits the incoming notifications into 2 objects:
- Sending all the incoming notifications
- Splitting SMSs into separate objects that are later sent to same C2 server.
Identified C2 server:
As per our observations, TAs are employing increasingly innovative malware tactics to avoid detection. Online Banking is becoming more complex every day, as TAs are being amplifying the risks involved by using advanced methods.
Masterfred makes use of the SYSTEM ALERT WINDOW permission, which is a potential risk in an Android environment. Only apps authorized by Google’s partners are allowed to utilize this permission on the Google Play Store.
The malware was not identified in the Google Play Store, implying that it is distributed via other vectors. The virus must also be installed using Android’s Sideloading function.
As a result, users must exercise cyber-hygiene across all their devices and online banking apps.
We have listed some essential cybersecurity best practices that create the first line of defense against attackers. Here are the recommended best practices:
- Download and install software only from official app portals such as Google Play Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions on any devices.
- If you find any suspicious applications on the device, uninstall, or delete them immediately.
- Keep your anti-virus software updated to detect and remove malicious software.
- Use the shared IoCs to monitor and block the malware infection.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Défense Evasion||T1406||Obfuscated Files or Information|
|Discovery||T1421||System Network Connections Discovery|
|Discovery||T1426||System Information Discovery|
|Collection||T1507||Network Information Discovery|
|Command and Control||T1571||Non-Standard Port|
|Command and Control||T1090||Proxy|
|Impact||T1472||Generate Fraudulent Advertising Revenue|
Indicators of Compromise (IoCs)
|ce0f20f0c1283fd0e29a5b6a4bd2a44c6a1968b0e7553386bf1e7c88ffce5427||SHA256||Hash of the Analysed APK Sample|
|7660c207aff4f7855a5f9667d7dbc05d9bc9c57107712337e139e188cecfebb1||SHA256||Hash of the Similar APK Sample|
|1284d9e44fa5ac5b645c26c5e941cc392d77ab24ebfa91948688ce769ff71667||SHA256||Hash of the Similar APK Sample|
|hxxps://qjvpp2shgqyhcfdvtcpe3w4c4ngigwbcufdtmqokbbs23wymgervjtqd[.onion.ws/v1/api/knock/qviqer/c1178a||URL||TOR Onion URL|
|hxxps://qjvpp2shgqyhcfdvtcpe3w4c4ngigwbcufdtmqokbbs23wymgervjtqd[.]onion.ws/v1/api/knock/qviqer/c1178a083c3740d488c393f7d47db29f/mlab.sert.fr/Samsung%20Galaxy%20Nexus/android/i686/en/ab?name=Mlab||URL||TOR Onion URL|