In July, Cyble Research Lab unveiled Aberebot, a new Android banking malware for sale on the dark web. The malware’s creators have also lately announced the introduction of a new version with improved functionalities. The announcement in a dark web forum is shown in the below figure.
Aberebot is a new variant of Android Banking Trojan that steals sensitive information, including financial and personal details using phishing webpages. The new malware variant also uses Telegram APIs to interact with the operator(s). For limiting the size of the malware file, the operator/threat actor (TA) has hosted the phishing pages in a GitHub repository.
Recently, Cyble Research Lab spotted a version of Aberebot malware spreading through a website appearing to be from Croatia, as shown in Figure 2. Our team collected the sample from the website and performed an in-depth analysis. Based on our analysis, the Aberebot sample is an advanced version of the virus we discovered in July – it can be named Aberebot v2.0.
APK URL: hxxps://itts[.]hr/FinaCertifikat/Fina.apk
Aberebot v2.0 includes new targets as well as additional malicious functionality. In addition to the functions found in the previous version, the malware has the following:
- Steals messages from the popular chatting app and Gmail app.
- URL Injection to steal cookies.
- Inject values into financial applications.
- Collect a list of files on the victim’s device.
- Collect Clipboard Information.
- Disable security features such as Google Play Protect.
The malicious APK was still present on the website during our investigation. The file details of the sample APK are given in the figure below.
APK File Info
The file information of the sample APK:
- App Name: FinaCert
- Package Name: com.example.autoclicker
- SHA256 Hash: ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3
The malware author has declared 18 different permissions, out of which 11 are dangerous. The abused permissions are given below.
|Aberebot v1.0 permissions||Aberebot v2.0 permissions|
Once the user enables these permissions, Aberebot v2.0 can perform malicious activities such as:
- Steal personal information such as contacts, SMSs, etc.
- Monitor user activities in the device.
- Spy on the user using device location.
- Collect user files stored in the device’s storage.
- Steal notifications from an application such as Gmail, etc.
- Constantly execute in the background.
Alike v1.0, Aberebot v2.0 also abuses Accessibility Service to monitor user activities and applications executing in the device.
The malware author has incorporated QUERY_ALL_PACKAGES permission which was first introduced in Android 11. This permission determines that Aberebot v2.0 supports newer versions of Android.
From the APK’s manifest, we also identified four entry-point classes:
- com.example.bot.MainActivity: This class is executed initially and displays the starting page of the application and is also called the launcher activity.
- com.example.bot.SmsReceiver: This class is executed when the device receives a new SMS and is also called as SMS receiver class.
- com.example.bot.BootReceiver: This class is initiated for every device boot ups.
- com.example.bot.NListener: This class is initiated when the infected device receives a notification. This class is commonly called Notification listener service.
Apart from the classes above, we also found code similarities in the class names with the Aberebot v1.0. Based on this, we could presume that this version is a continuation of version v1.0. From these entry point classes, the malware initiates different malicious behaviours.
As we have mentioned in a previous blog on Aberebot, we identified that the malware could perform malicious activities such as:
- Steal credentials using HTML based phishing pages.
- Intercepting OTP messages.
- Exfiltrate contacts, SMSs.
- Send SMSs to the number provided by TA.
- Collect the list of applications installed on the device.
- Hide app’s icon from device home screen.
The code (common in both v1.0 and v2.0) to collect and exfiltrate contacts is shown in the below figure.
In addition to these capabilities, the malware author has incorporated the below malicious features:
- Exfiltrate a list of files present in the device and upload them to TA’s infrastructure based on the instruction.
The code used to collect the files list and transfer files to TA’s infrastructure using FTP is given below.
- Performs keylogging using Accessibility service. Refer to the below figure.
- Steal and upload clipboard data as shown in the below figure.
- Collect device hardware information such as IMEI ID, IP address.
- Exfiltrate GPS and cellular network-based location information.
- Disable or uninstall the malware itself based on the instruction from TA.
The malware also steals messages from the popular chatting app and Gmail app by abusing the Notification listener service. The code is used to steal the messages using the Notification listener service.
In addition, the malware also uses phishing pages to collect user credentials and other malicious activities.
Alike version v1.0, the newer version also downloads phishing pages from a GitHub repository.
GitHub repo Link: hxxps://github[.]com/jamiesuper00/lucifer/raw/main/
During our investigation, the repository was taken down by GitHub, so we did not get more details on the phishing pages.
Aberebot downloads the phishing pages of targeted applications based on the country where the victim’s device is present.
Aberebot constantly monitors the devices’ activities. For example, when a user starts a banking or crypto application in the target list, the malware displays an overlay phishing page over the legit app. Upon login, the malware steals the cookies of the original application using the code shown below.
In Aberebot v2.0, the malicious operator can inject values into user fields in banking, crypto, or social applications and perform fraudulent activities. This activity is performed based on the commands from the TA.
The malware author has also incorporated anti-sandbox technique in the newer version of Aberebot. The malware terminates by itself if the fake application is executing on a sandbox environment. Refer to the below figure.
The malware constantly monitors the device screen by abusing the Accessibility service and displays overlays with phishing pages.
Abusing Accessibility Service
When the victim enables the Accessibility permission, Aberebot enables all other permission without showing any alerts to the victim. Additionally, the malware restricts the user from accessing and modifying the settings page of the malicious application.
Aberebot_v2.0 also performs keylogging functionality by abusing the Accessibility service.
In addition, the malware constantly monitors the screen in the background. When the victims launch a target app, the malware creates an overlay screen with the opened app’s phishing page over the legit application. The overlay is created using WebView, as shown in the below figure.
The data is uploaded to the Command & Control (C&C) server hosted on a Telegram bot when a user provides the credentials.
Commands & C&C server
Aberebot performs all the activities based on the commands from TA. As in version v1.0, the new version also uses Telegram bot as the C&C server. The URL of the bot is shown in the below code.
Telegram Bot URL: hxxps://api.telegram[.]org/bot1962569196
The commands used by the TA to perform activities are listed below.
|start||Initiate the execution and uploads hardware information|
|all||Performs all malicious activities|
|sms||Sends SMS to the number provided by TA|
|file||Exfiltrates the list of files|
|contact||Upload contacts present in the device|
|download||Download a file from FTP server|
|lockscreen||Lock/Unlock device screen|
|killbot||Uninstall Aberebot malware from the infected device|
|keylog||Upload keylogged data|
In Aberebot v1.0, the malware was targeting 140 applications from 18 countries. The newer version is incorporated with the details of the 230 applications from 22 different countries. The list of targeted applications in the code is shown in the below figure.
The target includes banking applications, crypto wallet applications, and social account applications. The list of targeted apps is given in the below table.
|Targeted Banking App/Websites||Country|
|com.maybank2u – Maybank2u My app||Malaysia|
|com.cimbmalaysia – CIMB Clicks Malaysia||Malaysia|
|at.spardat.bcrmobile- Touch 24 Banking||Austria|
|at.spardat.netbanking – ErsteBank/Sparkasse Banking||Austria|
|bawag – BAWAG Group website||Austria|
|com.bankaustria.android.olb – Bank Austria MobileBanking app||Austria|
|easybank – Easy Bank website||Austria|
|raiffeisen – App from Raiffeisen Bank website||Austria|
|volksbank – Volks Bank website||Austria|
|anzSingaporeDigitalBanking – Australian & New Zealand Bank website||Australia|
|bankofqueenslandBOQ – Bank of Queensland website||Australia|
|bankwest – Bankwest website||Australia|
|bendigobank – Bendigo and Adelaide Bank website||Australia|
|bombank – BOM Bank website||Australia|
|citibank – Citibank Australia website||Australia|
|commbank – Commonwealth Bank website||Australia|
|cua – Great Southern Bank website||Australia|
|fusionATMLocator – ATM Locator for Fusion Bank||Australia|
|imb.banking – Mobile Banking app for IMB Bank||Australia|
|ingdirect – ING Australia website||Australia|
|mebank – MeBank website||Australia|
|nab – National Australia Bank||Australia|
|newcastlepermanent – Newcastle permanent||Australia|
|orgBanksaBank – BankSA Mobile Banking||Australia|
|stgeorge.Bank – St.George Mobile Banking||Australia|
|SuncorpBank – Suncorp Bank Website||Australia|
|WestpacBank – Westpac Bank||Australia|
|com.bmo.mobile – BMO Mobile Banking||Canada|
|com.cibc.android.mobi – CIBC Mobile Banking app||Canada|
|com.rbc.mobile.android – RBC Mobile app||Canada|
|com.scotiabank.mobile – Scotiabank Mobile Banking||Canada|
|com.td – TD Bank Canada app||Canada|
|cleverlanceCsasServis24 – Česká spořitelna||Czech Republic|
|csobSmartbanking – CSOB Smart Banking website||Czech Republic|
|cz.airbank.android – My Air App||Czech Republic|
|eu.inmite.prj.kb.mobilbank – Mobilni Bank||Czech Republic|
|sberbankcz – SberBank app||Czech Republic|
|com.db.mm.norisbank – Noris Bank App||Germany|
Crypto Wallet Apps
|Targeted Crypto App/Website||Description|
|blockchaine||Crypto trading company website|
|com.plunien.poloniex||Poloniex Crypto Exchange|
|com.bitfinex.bfxapp||Bitfinex Crypto trading app|
|com.bitmarket.trader||BitMarket Crypto trading app|
|com.coinbase.android||Coinbase crypto trading app|
|com.mycelium.wallet||Mycelium crypto wallet|
|com.unocoin.unocoinwallet||Unocoin- India’s First Bitcoin & Crypto Exchange|
|com.oxigen.oxigenwallet||Oxygen Crypto Wallet in India|
|localbitcoin||LocalBitCoins.com website for trading crypto coins|
Other targeted Apps
|com.****app||Multi-platform Centralized Chat app|
|com.engage||Engage app for digital field management|
|com.Plus||Plus500: CFD Online Trading on Forex and Stocks|
|com.mail.mobile.android.mail||mail.com Mail & Cloud App|
|com.connectivityapps.hotmail||Connect for Hotmail & Outlook: Mail and Calendar App|
Latest news on Aberebot
During Cyble Research Labs dark web research, we came across an announcement by Aberebot creator on one of the forums. Refer to the below figure.
According to the announcement, the creator of Aberebot has stopped developing the malware due to detections and other issues. Therefore, the source code is available for sale.
Aberebot v2.0 supports a newer version of Android and has incorporated new techniques and behaviors. In addition, the malware has announced that the source code is up for sale and requires obfuscation. We can expect that newer versions will come with sophisticated techniques. Our research also observed that the newer version has many detections in VirusTotal – we presume that the samples are not present in Play Store. This concludes that the malware is spread through other vectors such as Fake websites, Smishing, Email Phishing, or other Social Engineering campaigns. Furthermore, the malware must be installed using Android’s Sideloading feature. Therefore, Android users should know the apps installed using Sideloading and only install from the Google Play Store. Finally, the users should be attentive to notifications that appear while using the application, as they frequently indicate something unexpected or undesirable.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store & Apple App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable device security features such as fingerprint or password for unlocking the mobile device.
- Be wary of opening any links present in SMSs or Emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated to the latest versions.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi Data usage of application which are installed in mobile device.
- Keep an eye on the alerts provided by AV’s and Android OS and take necessary actions.
What to do when you are infected?
- Disable Wi-Fi/Mobile Data and remove SIM Card as in some cases the malware can re-enable the Mobile Data.
- Perform Factory Reset.
- Remove the application, incase factory reset is not possible.
- Take backup of personal media Files (Exclude Mobile Applications) and perform Reset.
What to do in case of any fraudulent transaction.
- In case of fraudulent transaction, immediately report it to the bank.
- Suggestion – “What to do when you are infected?”
What banks should do to protect customers?
- Bank Entity should educate the customer on preventing themselves from such malware attacks using modes such as telephone, SMS, or emails.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1406||Obfuscated Files or Information|
|Defense Evasion||T1444||Masquerade as Legitimate Application|
|Credential Access||T1412||Capture SMS Messages|
|Credential Access||T1414||Capture Clipboard Data|
|Credential Access||T1409||Access Stored Application Data|
|Discovery||T1421||System Network Connections Discovery|
|Collection||T1507||Network Information Discovery|
|Collection||T1432||Access Contact List|
|Command and Control||T1571||Non-Standard Port|
|Command and Control||T1573||Encrypted Channel|
|Impact||T1447||Delete Device Data|
Indicators of Compromise (IOCs)
|ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3||SHA256||Hash of the APK sample|
|hxxps://itts[.]hr/FinaCertifikat/Fina.apk||URL||URL used to spread the malware|
|hxxps://api.telegram[.]org/bot1962569196||URL||C&C Telegram Bot URL|