Cyble-AMEXTROLL-Malware

AMEXTROLL Android Banking Trojan Spotted In The Wild

Resurfaced BRATA Malware Masquerading As Security Application

Cyble Research Labs (CRL) came across a Twitter post wherein a security researcher mentioned an Android Banking Trojan malware “AMEXTROLL” was being advertised on underground cybercrime forums.

Through our DarkWeb intelligence,  CRL found posts made by Threat Actors (TAs) on a cybercrime forum mentioning the AMEXTROLL Android Banking Trojan.

In the post, the TAs claim that their Android malware is encrypted, obfuscated, and persistent with powerful features, the Beta version is available for rent at $3.5k/month, and the test APK is on sale for $300.  

Figure 1 – AMEXTROLL advertisement on an underground forum

AMEXTROLL, also known as BRATA, was first identified in late June 2021, being distributed through different smishing and phishing campaigns targeting Italian banks. Their last attack was identified in April 2022, when the Threat Actors (TAs) changed the malware’s source code to attack specific banking institutions.

The AMEXTROLL malware was also observed being distributed through the below phishing sites:
 

  • hxxps://infoapp[.]pro/bancobpm[.]apk
  • hxxps://youapp-conto[.]digital“.

Technical Analysis

APK Metadata Information 

  • App Name: A Shield Auth
  • Package Name: app.opened.upo
  • SHA256 Hash: 3c62b24594ec3cacc14bdca068a0277e855967210e92c2c17bcf7c7d0d6b782a

  

Figure 2 shows the metadata information of the application. 

Figure 2 – App Metadata Information

The malicious application pretends to be a security application that provides antispam protection to appear genuine to potential victims.

Manifest Description 

The malware requests 27 different permissions from the user, of which it abuses at least 7. These dangerous permissions are listed below: 

Permission  Description 
READ_EXTERNAL_STORAGEAllows an application to read from external storage.
WRITE_EXTERNAL_STORAGEAllows an application to write to external storage.
READ_SMSAllows an application to receive SMS messages.
SYSTEM_ALERT_WINDOWAllows an app to create windows on top of app other apps.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
READ_CALL_LOGAllows an application to read the user’s call log.
REQUEST_INSTALL_PACKAGESAllows an application to request installing packages.

Source Code Review 

The application is packed, as most of the components present in the manifest file are missing except for its subclass.

Figure 3 – Manifest File

The malicious application unpacks the DEX file present in the assets folder and then loads the classes upon execution. In this case, the dropped dex file name is “XZ2Hvm0dsFgFqwpZtA4n2qFV3VYTnV1V.dex,” which includes all the missing classes.

The AMEXTROLL malware provides the below functionalities:

After installing the malware, the user is prompted to enable the Accessibility Service. Once the user grants this permission, the malware starts abusing the Accessibility Service feature to carry out malicious activities.

Figure 4 – Accessibility Service

The malware uses Virtual Network Computing (VNC) to capture the victim device’s screen to monitor the targeted applications to steal credentials. The screenshot below shows the image of the control panel posted on a cybercrime forum that clearly illustrates how TAs use VNC to monitor the user’s activity in real-time.

Figure 5 – Control panel image uploaded by the TA

The malware executes the code shown in the below image to record the victim’s device screen using VNC.

Figure 6 – Executing VNC code to screenshot the victim’s screen

The malware uses the code shown in the below snippet to collect the victim’s SMS data based on a command received from the Control and Command (C&C) server. TAs can use this stolen SMS data to perform several malicious activities such as stealing contact details, bypassing two-factor authentication, etc.

Figure 7 – Collecting incoming SMSs

The malware also disables Google Play Protect – built-in protection to bypass malware detection to continue its malicious activities without any interference.

Figure 8 – Malware disabling Google Play Protect

The malware collects installed application information from the victim’s device and downloads the HTML injection page for the targeted applications.

Whenever the user interacts with the targeted application, it will create an overlay to steal any credentials entered by the victim.

Figure 9 – Malware injecting targeting applications

Upon receiving a command from the C&C server, the malware removes any anti-virus applications’ installed on the victim’s device and responds with the acknowledgment “protections_removed” after successfully completing the task.

Figure 10 – Deleting installed Antivirus protection from the infected device

The malware uses USSD (Unstructured Supplementary Service Data) service calls to perform money transfers. To transfer money using USSD, no dialer user interface or internet access is required on the victim’s device.

Figure 11 – Malware executes code to Transfer Money through USSD

The commands used by AMEXTROLL to execute it’s malicious operations are:

Command Description 
byebye_formatFormats infected device
mute_deviceMute infected device
lightScreenControls screen brightness 
sendPushNotifySends notifications 
deletePackageInjectedDeletes injected app
get_smsCollects all incoming SMSM 
vncSizeQualityControls VNC screen size quality
vncQualityControls VNC quality
stop_screenStops VNC screen recording 
getScreenCollects screen captured by VNC module
del_applicationDeletes the application received from the C&C server
intent_adminSent admin intent to start device admin
intent_protectCheck and disable Play Protect
open_a11yOpens Accessibility Service screen
open_overShows screen to grant overlay permission
palavraCollects clipboard data
go_homeTakes the user to the home screen
go_recentTakes the user to a recent screen
go_backTakes the user to the back screen
get_applicationCollects installed application package name
del_overlayDelete overlay file stored on the infected device
openAppStarts the application received from the C&C server
killCallsEnds the call on the infected device
run_telRuns USSD to perform money transfer

Conclusion

Banking threats have been rising for some time now and are growing increasingly sophisticated with every new malware variant. AMEXTROLL is one example of such a threat. The malware can perform financial fraud by misusing the victim’s stolen sensitive data.

The BETA version of AMEXTROLL malware is still under development. We foresee that the TA behind the AMEXTROLL will continue to develop new variants of this malware with more targeted applications, new TTPs, and delivery methods.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application 
Defense EvasionT1406Obfuscated Files or Information
CollectionT1412Capture SMS Messages
Input CaptureT1417Input capture
ExfiltrationT1567Exfiltration over web services
CollectionT1436Commonly used ports
ImpactT1447Delete device data
Credential Access T1414Capture clipboard data

Indicators of Compromise (IOCs):

IndicatorsIndicator TypeDescription
45553e3fe188ff71cc343b8a6737196a47cb088503cbc010384c212e1e094418SHA256Hash of the analyzed APK file
83cf270597ae6b8e88089d340459b6bcbb2c7c9eSHA1Hash of the analyzed APK file 
04af65f411817e1f4b267c948f7c4bbcMD5Hash of the analyzed APK file
b66260ad4d147efd54e5e52955b2a251e0c13c4e3a01e1ba1c24745181073988SHA256Hash of the analyzed APK file
72a5c35893019a7ad80546ab10390c3840a01c5bSHA1Hash of the analyzed APK file
31a91ec8d33b85ebb43d269e1e521926MD5Hash of the analyzed APK file
ac230a51c49d651e6bb95903b04c989d7ae8456658d917e4da2d39c3a3a36979SHA256Hash of the analyzed APK file
200731a47d14b744b87577d3bcbcd1fec52d55f3SHA1Hash of the analyzed APK file
901bc9b3fd27e4b80a874dfe2f901584MD5Hash of the analyzed APK file
hxxp://152[.]89[.]247[.]159URLC&C server
hxxps://infoapp[.]proURLMalware distribution site

 

Scroll to Top