The first Android banker malware (Android.BankBot.149.origin) of 2017 is already out and its source code is put on the web. This Android malware can steal users banking information and send it to CnC servers. The source code available on the web also means more variants of this malware will be seen in the wild very soon.
Once the deceptive app is installed, the Trojan has the ability to get admin privileges from the infected Android device and removes the icon itself from the home screen tricking the user that it was removed.
The Android Trojan connects to Command and Control and waits for the instructions to take actions. The infected device has the capability to send
- send SMS messages
- intercept SMS messages
- request administrator privileges
- send USSD requests
- obtain all contact list phone numbers
- send SMS messages containing the text specified in a command to all contact list numbers
- track device geolocation via GPS satellites
- request additional permission on devices using the most recent Android versions to send SMS messages, make calls, and access the contact list and GPS receiver
- receive an executable file containing a list of attacked banking applications
- phishing dialogs
The malware has the capability to send banking card information along with the mobile banking credentials. The malware checks for the installed popular apps such as Facebook, Youtube, Viber, WhatsApp, Uber, Snapchat, WeChat, Instagram, Twitter, and Play Store and tries to trick the user with a phishing app to steals the credentials.
Dr. Web further says “Once Android.BankBot.149.origin detects that any of the aforementioned applications have been launched, it loads the relevant phishing input form to access user bank account login and password information and displays it on top of the attacked application.”
When a text arrives on the infected device during unplanned transaction, the malware Trojan turns off all sounds and vibrations automatically and then tries to delete the notification. The stolen data on the CnC server is obtained by administrative panel which also helps to control the malicious application.