BankBot banking Trojan threatens Android users

Doctor Web security researchers have detected a new Trojan designed to steal money from the bank accounts of people using Android. Cybercriminals have built this malicious program, called Android.BankBot.65.origin and distributed under the guise of original software, into the official online banking application.

Security analysts have become familiar with such a distribution scheme some time ago: cybercriminals have injected malicious code into legitimate applications, spreading them across many software directories and shared file resources. Because an infected application looks and acts like a legal one, it is very likely that potential victims will install it on their mobile devices. However, instead of a real program, users get a modified version containing a Trojan capable of performing malicious actions on an infected device.

Recently, Doctor Web security researchers detected the banking Trojan Android.BankBot.65.origin embedded in the online banking application of the Russian bank Sberbank and distributed using the scheme described above. By adding malicious functionality to the program, the cybercriminals modified it and embedded a new version on one of the popular sites for mobile devices. An infected copy of the application works exactly like its original version, so users do not consider the downloaded program as malicious, which jeopardizes the security of their confidential data. So far, over 70 owners of Android devices have already downloaded this modified application.

As soon as the infected version is installed and launched, Android.BankBot.65.origin creates a special configuration file containing the Trojan's operational parameters. Using these settings, the malware sets up a connection to the control and management server and sends the following information using POST requests:

  • IMEI
  • The name of the mobile network operator
  • The MAC address of the Bluetooth card
  • Data on the availability of the QIWI Wallet application
  • The API version of the device
  • Trojan version
  • The name of the Trojan package
  • Currently executed command

If Android.BankBot.65.origin receives a "hokkei" command from a remote host, it sends an encrypted list containing user contacts to the server and updates the configuration file based on a command from cybercriminals.

This malware is quite similar to other banking Trojans. For example, like other Trojans belonging to this family, Android.BankBot.65.origin can perform the following actions: after command from the server can capture incoming SMS messages and send texts to numbers specified by cybercriminals. What's more, Android.BankBot.65.origin can add texts to the list of incoming SMS messages. Using these methods, cybercriminals can steal money from users 'bank accounts (sending SMS commands to send money from the victim's account to the cybercriminals' account, or capturing messages containing verification codes) and implement other unfair schemes of actions. For example, cybercriminals are able to place a specially generated message informing the user that his credit card has been blocked with a request to contact the bank on the given number, or a message requesting to replenish the mobile phone account of a "relative who got into trouble", or another message of this type.

Doctor Web security researchers strongly recommend that Android device owners download applications for online banking only from certain sources (for example - Google Play or official websites of financial organizations) and use Dr.Web for Android or Dr.Web for Android Light to protect their devices. The signature of Android.BankBot.65.origin has been added to the Dr.Web virus database, therefore this malicious program does not pose a threat to Dr.Web users.

source: Doctor Web



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.