TRENDING

TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare | EducationTARGETED COUNTRIES -> United States | Russian Federation | China | United Kingdom | UkraineTARGETED REGIONS -> North America (NA) | Europe & UK | Asia & Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand (ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 | 7bdbd180c081fa63ca94f9c22c457376 | 10.0.0.0 | 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 | 2915b3f8b703eb744fc54c81f4a9c67fCVEs -> CVE-2024-21887 | CVE-2023-46805 | CVE-2024-21893 | CVE-2017-11882 | CVE-2021-44228TECHNIQUES -> T1082 | T1083 | T1140 | T1486 | T1105TACTICS -> TA505 | TA0011 | TA0007 | TA577 | TA0005TAGS -> security | the-cyber-express | firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit | Blackcat | Lazarus | VoltTyphoon | KimsukyMALWARE -> CobaltStrike | Qakbot | Lockbit | Xmrig | MiraiSOURCES -> Darkreading | Bleepingcomputer | The Hacker News | The Cyber Express | Infosecurity Magazine
Cyble-Android-Malware-Targets-Spanish-BBVA-Customers

Android Malware Distributed Via Smishing

Cyble analyzes a variant of Android malware targeting Spanish BBVA customers through a banking Trojan delivered via Smishing.
Odin ad

Banking Trojan Targets Spanish BBVA Bank Customers

In May 2020, the BBVA bank issued a warning about an Android malware campaign where a malicious app was distributed through smishing.

Recently, Cyble Research Labs came across a Twitter Post where a researcher mentioned that this Android malware was spreading through smishing campaigns where it was disguised as official messages from the BBVA bank.

This indicates that the campaign is still live and actively targeting BBVA bank customers.  

BBVA bank users have highlighted this campaign on Twitter and posted screenshots of the SMSs forwarded by the Threat Actor (TA). These SMSs contain a message which translates, “Your bank account has been suspended. For your safety, it is mandatory to log in from the BBVA protect app. Download it here“.

Figure 1 shows the SMS received by BBVA bank users.

Figure 1 BBVA customers posted SMS screenshots Twitter
Figure 1 – BBVA customers posted SMS screenshots (Twitter)

The TA has designed this campaign to steal the account balance and banking credentials of BBVA bank users. Once the user clicks the phishing link present in the received SMS, it asks the user to download the malicious BBVA Protect app that pretends to be a legitimate BBVA bank application.

Technical Analysis   

APK Metadata Information   

  • App Name: BBVA Protect 
  • Package Name: com.gallery.become    
  • SHA256 Hash: caee54ae322d5418f051e468c13a4ec04263f02f8b8bd6b5db34e388dbbb331a

   

Figure 2 shows the metadata information of an application.  

Figure 2 App Metadata Information
Figure 2 – App Metadata Information 

Manifest Description  

The malicious application asks for 27 permissions, of which the TA exploits 6. The harmful permissions requested by the malware are listed below:  

Permission   Description  
RECEIVE_SMS Allows an application to receive SMS messages 
READ_SMS Allows an application to read SMS messages 
SYSTEM_ALERT_WINDOW Allows an app to create windows shown on    top of all other apps. 
READ_EXTERNAL_STORAGE Allows an application to read from external storage   
RECORD_AUDIO Allows an application to record audio   
WRITE_EXTERNAL_STORAGE Allows an application to write to external    storage 

Source Code Review  

Apart from the application’s subclass, the rest of the components identified from the Manifest file are missing – indicating that the application is packed.  

Figure 3 Manifest File
Figure 3 – Manifest File 

Upon execution, the malicious application unpacks the DEX file present in the assets folder and then loads the classes. In this case, the dropped dex file’s name is “baq.json” which has all the missing classes.

On installing the application, it loads the URL “hxxps://movil[.]bbva[.]es” into Webview, which redirects the user to the phishing site “hxxps://movil[.]bbva[.]es/apps/woody/index[.]html“.

The phishing site impersonates BBVA bank and asks the users for credentials such as username (NIF, NIE, ID card, or Passport) and password.

Figure 4 Loading phishing URL into Webview
Figure 4 – Loading phishing URL into Webview

After loading the phishing page into Webview, the malware injects the malicious JavaScript files “jscript.js” and “jscript2.js” that are present in the assets folder to steal the account balance information and credentials entered by the victim, as shown below.

Figure 5 Injecting a JavaScript files
Figure 5 – Injecting JavaScript files

The below image showcases the code used by the malware to send account balance information and credentials to the Command and Control (C&C) server -“hxxps://privasol[.]xyz/banzreceiver/receiver[.]php?id=” by injecting JavaScripts.

Figure 6 Sending credentials and account balance information
Figure 6 – Sending credentials and account balance information

The malware has defined the SMS Receiver class used to collect incoming SMSs from the victim’s device. The incoming SMSs could contain OTPs, which can be used to bypass the Two-Factor Authentication to steal the money from the victim’s bank account.

Figure 7 Stealing incoming SMS
Figure 7 – Stealing incoming SMS

The above analysis is the classic example of a sophisticated phishing attack implemented within an Android app that can steal account balance and banking credentials and can intercept SMSs to bypass Two-Factor Authentication.

Conclusion 

The campaign has been actively spreading across Spain since 2020 to rapidly target BBVA Bank users. Although the bank has warned its users not to download any application from such SMS links, some users may unintentionally download and log in to the phishing site resulting in them incurring monetary losses and potentially falling victim to financial fraud.

Users should treat such SMSs as untrustworthy to avoid getting infected with this malware and report phishing SMSs to the bank to stop this malware infection chain.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection? 

  • Download and install software only from official app stores like Google Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers? 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1476 Deliver Malicious App via Other Mean. 
Initial Access T1444 Masquerade as Legitimate Application 
Defense Evasion T1406 Obfuscated Files or Information 
Credential Access T1412 Capture SMS Messages 
Exfiltration T1567Exfiltration over web services 
Input CaptureT1417Input Capture

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
caee54ae322d5418f051e468c13a4ec04263f02f8b8bd6b5db34e388dbbb331aSHA256Hash of the analyzed APK file
a58cf4de95d582e079fd7b6252cb9b614563f00cSHA1Hash of the analyzed APK file 
0a69fb5ee436640724dbb0dcb256cb3bMD5Hash of the analyzed APK file
hxxps://movil[.]bbva[.]esURLPhishing URL
hxxps://privasol[.]xyzURLC&C Server
7394a5b7e15eba380a4add9c6954b15c85cd082bc8e881380cdf3d2b9f5209d9SHA256Hash of the analyzed APK file
f32a8329d1832bd375f55e7aaa7a7b3b67fe2ff7SHA1Hash of the analyzed APK file
1598dda06539be5641deffbb73ee2bc6MD5Hash of the analyzed APK file
hxxps://bbva[.]movil-es[.]icuURLMalware distribution site
hxxps://clientesbbvalock[.]comURLC&C server

Share the Post:
Bumblebee Loader on The RiseNext

Related Posts

Discover more from Cyble

Subscribe now to keep reading and get access to the full archive.

Continue reading

Scroll to Top