Falcon Android Malware goes after VTB Bank Users
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post wherein researchers mentioned an Android malware variant targeting Russian bank users by mirroring the “VTB” bank app. Researchers claim this attack is retaliation for the “Anatsa” campaign targeting Ukraine and named it “Falcon,” based on the C&C panel name.
While analyzing the malicious application, we observed that it has the name ВТБ (Russian), which means VTB in English. This application doesn’t have any user interface (UI) and hides its icon after installation.
Once the user grants the requested Accessibility Services permission to the malicious application, it sends a list of applications installed on the victim’s device to the C&C server. Accordingly, the Threat Actors (TAs) provide injection modules to target specific applications installed on the victim’s device, the VTB bank application being one notable example.
We identified several sophisticated features in this malicious app. By leveraging these features, the app can steal device info, SMSs, notification data, etc. The application can also send spam messages to device contacts and make financial transactions using the Unstructured Supplementary Service Data (USSD) e-service.
APK Metadata Information
- App Name: ВТБ
- Package Name: com.uivhspbweh.qbilykvlf
- SHA256 Hash: 4a9851b10361d4efc9657233aedfa3b0a0040ee016cc9891252d838b4e9ce0f2
Figure 1 shows the metadata information of the application.
While trying to install the application on an Android device, Google Play Protect warns the users by identifying it as a fake app and information stealer, thereby blocking the installation.
Upon installing the application on the testing device post disabling Google Play Protect, we observed that the application with the name ВТБ requests for Accessibility Service access.
The malware requests 20 different permissions from the user, of which it abuses at least 10. These dangerous permissions are listed below.
|CALL_PHONE||Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call.|
|REQUEST_DELETE_PACKAGES||Allows an application to request deleting packages|
|ACCESS_NETWORK_STATE||Allows the app to view information about network connections|
|READ_PHONE_NUMBERS||Allows read access to the device’s phone number(s)|
|READ_PHONE_STATE||Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.|
|READ_SMS||Access phone messages.|
|RECEIVE_SMS||Allows an application to receive SMS messages.|
|SEND_SMS||Allows an application to send SMS messages.|
|WRITE_SMS||Allows the app to modify or delete SMS.|
|READ_CONTACTS||Access phone contacts.|
Source Code Review
Our static analysis indicated that the malware steals the information from the infected device based on the commands received from the TA’s Command and Control (C&C) server.
While launching the application for the first time, it hides its icon from the device screen and runs silently in the background. The below code snippet is used to hide the app icon.
After execution, the malware uses telephone services to gather the device information, such as device country code, so that the attack can be carried out in the desired region.
The below image contains the code through which malware can download injection modules from the below C&C URL to target installed applications on the victim’s device:
Upon receiving the bot_sms command from the TA’s C&C Server, the malware intercepts the incoming SMSs and sends the SMS data to the TA’s C&C server.
The malware uses the below code to collect the victim’s SMS data. The attackers can use the stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.
The below code snippet depicts the malware’s ability to read incoming app notifications on the victim’s device based on the command need_interepting_push received from the TA’s C&C server.
It gathers information such as notification title and text and the application’s package name from which the notification originates.
The malware using the below code reads the contacts data saved on the victim device and sends SPAM messages; these spam messages can contain malicious app links or links to perform financial fraud.
The malware collects the victim device information such as android_version, phone_manufacturer, phone_model, mobile_operator, device’s IP address, play_protect_status, etc., based on commands from TA’s C&C server.
The malware can also perform financial fraud using USSD calls payment service (Calling number example *99#). This service allows attackers to perform mobile banking transactions by calling a number such as *99# without requiring internet access on the victim’s device.
We have listed the commands used by the TAs to control the infected device below:
Throughout the conflict between Russia & Ukraine, we have observed a marked increase in the volume of cyberattacks on Android users. This malware campaign is an example of an Android application masquerading as a legitimate VTB banking app to target Russian users. 2
According to our research, this type of malware is only distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications is a good way to prevent such malware from compromising your devices.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1476||Deliver Malicious App via Other Mean.|
|Initial Access||T1444||Masquerade as Legitimate Application|
|Collection||T1412||Capture SMS Messages|
|Command and Control||T1436||Commonly Used Por|
Indicators of Compromise (IOCs)