Phishing Attack Replaces Android Banking Apps With Malware

Mobile devices are also increasingly being used to manage a critical and important asset for all of us: our money. According to the Federal Reserve Board report “Consumers and Mobile Financial Services 2013,” in the United States “48 percent of smartphone owners have used mobile banking in the past 12 months, up from 42 percent in December 2011.” Of that 48 percent, “Nearly half of mobile banking users appear to be using mobile apps to conduct their banking transactions, as 49 percent have installed such applications on their phones.”

Recently a new Android banking Trojan that replaces popular South Korean banking apps with malware was found in the wild. This threat steals sensitive information and banking credentials to perform financial fraud. Like other mobile threats in South Korea (like Smsilence), this one uses “smishing” (SMS phishing) attacks that employ fake messages from the Financial Services Commission asking users to install new antimalware protection. However, when the user clicks on the shortened URL, what it is being downloaded is in fact malware, which masquerades as the Google Play app, using the same icon (but without a label):

CASTILLO_FakeBankDropperIcon

If the victim executes the malware, it checks whether any of the following South Korean banking apps are installed: KB Kookmin Card (from the biggest credit card company in the country), IBK (Industrial Bank of Korea), Shinhan Bank, Nonghyup Bank, Woori Bank, SC First Bank (currently not available in Google Play), Hana Bank and KFCC (Korean Federation of Community Credit Cooperatives). If the malware finds one or more of them, it whether the device is rooted–to perform a silent uninstall of the banking application by executing the following commands with root (superuser) privileges:

  • mount -o remount rw /data (remount the data partition as read/write)
  • chmod 777 /data/app/<package_name_banking_app>.apk (changes permissions of APK file)
  • pm uninstall <package_name_banking_app> (silently removes the application)

If the user does not have the device rooted (the su binary is not present), the fake Google Play app asks to uninstall the legitimate banking app and, in exchange, offers the installation of another app (even if the user already granted root privileges) with the same icon but requesting very suspicious permissions:

CASTILLO_Replacement

The new installed app comes inside the assets folder of the original, fake Google Play app, which was distributed via SMS to the victim. The new app is basically the same malware but customized (with icons and menus) for each of the banks previously mentioned to perform more successful phishing attacks and steal financial information from the victim. For some banks, the phishing attack includes text reporting that the application is certified by Yessign (a certification authority in South Korea) showing and asking to accept the terms and conditions of the certificate (the collection and use of personal information) to “ensure” the victim that the recently installed app belongs to the bank:

CASTILLO_TermsAndConditions

Sometimes the malware directly asks the victim to enter banking credentials such as Social Security Number (주민등록번호), account number (계좌번호), account password (계좌비밀번호), withdrawal account number (출금계좌), user ID (사용자 ID), Internet banking ID (인터넷뱅킹), Resident Registration Number (주민등록번호), and password (비밀번호 ):

CASTILLO_FinantialCredentials

Next we see the malware attempt to get the grid card serial number and values:

CASTILLO_SecurityCard

After that it also asks for the certificate password (인증서암호), another authentication factor:

CASTILLO_CertificatePassword

In the case of the Nonghyup and KFCC banks, the malware asks for the information in only one interface: name (이름), Social Security Number (주민등록번호), cell phone number (핸드폰 번호), user ID (이용자 ID), user password (이용자 PW), account number (계좌번호), and password (계좌비밀번호) and security card serial number (보안카드 일련번호):

CCASTILL_BankingInfoForm

All the captured information is later sent to a remote server via HTTP along with the phone number of the infected device. In addition to the phishing attack, the malware can also perform the following actions in the background and without the user’s consent:

  • Detects when a new outgoing/incoming call is made/received, obtains the incoming number, changes the ringer mode to silence, and ends the call
  • Intercepts incoming SMS messages and sends the data (origin and message body) to a remote server
  • Starts a service in the background that tries to uninstall the targeted banking app (in case it is still present) and sends SMS messages to premium-rate numbers using the data (number and keyword) sent by the control server via HTTP

Taking into account the increasing use of mobile banking apps worldwide, there is a huge potential in targeting them just as we’ve seen in South Korea, and of course there is a strong chance of seeing this type of malware emerge in other regions like Europe and America. On the other hand, this new threat shows that Android malware targeting financial transactions have evolved from a joint PC-mobile attack (like Zitmo and Spitmo), phishing attacks via apps (like FakeToken), and SMS messages using only an URL to a unified threat that replaces legitimate banking apps with a malicious application to obtain several authentication factors. These include account password, grid card, certificate password, and mTANs sent via SMS. The threat also behaves like traditional Android malware by sending SMS messages without the users’ consent.

McAfee Mobile Security detects this threat as Android/FakeBankDropper.A and Android/FakeBank.A and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.