Cyble-Falcon-Malware

New Malware Campaign Targets Russia

Falcon Android Malware goes after VTB Bank Users

During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post wherein researchers mentioned an Android malware variant targeting Russian bank users by mirroring the “VTB” bank app. Researchers claim this attack is retaliation for the “Anatsa” campaign targeting Ukraine and named it “Falcon,” based on the C&C panel name.

While analyzing the malicious application, we observed that it has the name ВТБ (Russian), which means VTB in English. This application doesn’t have any user interface (UI) and hides its icon after installation.

Once the user grants the requested Accessibility Services permission to the malicious application, it sends a list of applications installed on the victim’s device to the C&C server. Accordingly, the Threat Actors (TAs) provide injection modules to target specific applications installed on the victim’s device, the VTB bank application being one notable example.

We identified several sophisticated features in this malicious app. By leveraging these features, the app can steal device info, SMSs, notification data, etc. The application can also send spam messages to device contacts and make financial transactions using the Unstructured Supplementary Service Data (USSD) e-service.

Technical Analysis

APK Metadata Information

  • App Name:  ВТБ
  • Package Name: com.uivhspbweh.qbilykvlf
  • SHA256 Hash: 4a9851b10361d4efc9657233aedfa3b0a0040ee016cc9891252d838b4e9ce0f2

Figure 1 shows the metadata information of the application.

Figure 1 – App Metadata Information

While trying to install the application on an Android device, Google Play Protect warns the users by identifying it as a fake app and information stealer, thereby blocking the installation.

Figure 2 – Google Play Protect Warning

Upon installing the application on the testing device post disabling Google Play Protect, we observed that the application with the name ВТБ requests for Accessibility Service access.

Figure 3 – App Requests Accessibility

Manifest Description

The malware requests 20 different permissions from the user, of which it abuses at least 10. These dangerous permissions are listed below.

PermissionsDescription
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface to confirm the call.
REQUEST_DELETE_PACKAGESAllows an application to request deleting packages
ACCESS_NETWORK_STATEAllows the app to view information about network connections
READ_PHONE_NUMBERSAllows read access to the device’s phone number(s)
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
READ_SMSAccess phone messages.
RECEIVE_SMSAllows an application to receive SMS messages.
SEND_SMSAllows an application to send SMS messages.
WRITE_SMSAllows the app to modify or delete SMS.
READ_CONTACTSAccess phone contacts.

Source Code Review

Our static analysis indicated that the malware steals the information from the infected device based on the commands received from the TA’s Command and Control (C&C) server.

While launching the application for the first time, it hides its icon from the device screen and runs silently in the background. The below code snippet is used to hide the app icon.

Figure 4 – Code to Hide App Icon

After execution, the malware uses telephone services to gather the device information, such as device country code, so that the attack can be carried out in the desired region.

Figure 5 – Code to Getting Device’s Country Code

The below image contains the code through which malware can download injection modules from the below C&C URL to target installed applications on the victim’s device:

hxxps://vtbsu[.]club/sweden/api/api.php?get_lend=

Figure 6 – Code to Download Injection Modules

Upon receiving the bot_sms command from the TA’s C&C Server, the malware intercepts the incoming SMSs and sends the SMS data to the TA’s C&C server.

Figure 7 – Code to Intercept Incoming SMSs

The malware uses the below code to collect the victim’s SMS data. The attackers can use the stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.

Figure 8 – Code to Read SMSs

The below code snippet depicts the malware’s ability to read incoming app notifications on the victim’s device based on the command need_interepting_push received from the TA’s C&C server.

It gathers information such as notification title and text and the application’s package name from which the notification originates.

Figure 9 – Code to Read Notifications

The malware using the below code reads the contacts data saved on the victim device and sends SPAM messages; these spam messages can contain malicious app links or links to perform financial fraud.

Figure 10 – Code to Send Spam MSGs to Victim Device Contacts

The malware collects the victim device information such as android_version, phone_manufacturer, phone_model, mobile_operator, device’s IP address, play_protect_status, etc., based on commands from TA’s C&C server.

Figure 11 – Code to collect Victim Device Info

The malware can also perform financial fraud using USSD calls payment service (Calling number example *99#). This service allows attackers to perform mobile banking transactions by calling a number such as *99# without requiring internet access on the victim’s device.

Figure 12 – Financial Frauds through USSD

We have listed the commands used by the TAs to control the infected device below:

  • bot_country_code
  • bot_logs
  • bot_injects
  • bot_sms
  • bot_commands
  • need_interepting_sms
  • need_interepting_push
  • injs_open_app
  • interval_tuk_tuk
  • injs_or_urls_open_app
  • auto_injs_after_isntall
  • auto_injs
  • auto_injs_tag
  • push_injs
  • auto_del_apps
  • track_apps
  • ask_apps_sms
  • auto_sms
  • app_opened_inj_url
  • auto_injs_after_istall_key_inj
  • auto_injs_key_pckg_time
  • auto_injs_tag_key_pckg_time
  • push_injs_pckg_time
  • auto_del_apps_time
  • all_sms_was_set
  • installed_apps_was_set
  • all_granted
  • notif_perms_miui_clicked
  • perms_miui_clicked

Conclusion

Throughout the conflict between Russia & Ukraine, we have observed a marked increase in the volume of cyberattacks on Android users. This malware campaign is an example of an Android application masquerading as a legitimate VTB banking app to target Russian users. 2

According to our research, this type of malware is only distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications is a good way to prevent such malware from compromising your devices.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1412Capture SMS Messages
Command and ControlT1436Commonly Used Por

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
e3da8e3778dea984dd62337297a1f6a1MD5Falcon APK
22b468f3b11f000512e5ffafd326e12f8951e070SHA-1Falcon APK
4a9851b10361d4efc9657233aedfa3b0a0040ee016cc9891252d838b4e9ce0f2SHA-256Falcon APK
7ef608bf48d6de1f69a34e813643e551MD5Falcon APK
cba24332b10f755ded13f6f79fd65a702e094243SHA-1Falcon APK
6f475db05055d2ff4c12568b09bca5d272eaf157edde90fd7755c04d87b4f215SHA-256Falcon APK
hxxps://vtbsu[.]club/sweden/api/api.php?get_lend=URLC&C URL
Scroll to Top