McAfee Corporation

09/13/2021 | Press release | Distributed by Public on 09/13/2021 06:46

Android malware distributed in Mexico uses Covid-19 to steal financial credentials

McAfee Mobile Malware Research Team has identified malware targeting Mexico. It poses as a security banking tool or as a bank application designed to report an out-of-service ATM. In both instances, the malware relies on the sense of urgency created by tools designed to prevent fraud to encourage targets to use them. This malware can steal authentication factors crucial to accessing accounts from their victims on the targeted financial institutions in Mexico.

McAfee Mobile Security is identifying this threat as Android/Banker.BT along with its variants.

How does this malware spread?

The malware is distributed by a malicious phishing page that provides actual banking security tips (copied from the original bank site) and recommends downloading the malicious apps as a security tool or as an app to report out-of-service ATM. It's very likely that a smishing campaign is associated with this threat as part of the distribution method or it's also possible that victims may be contacted directly by scam phone calls made by the criminals, a common occurrence in Latin America. Fortunately, this threat has not been identified on Google Play yet.

Here's how to protect yourself

During the pandemic, banks adopted new ways to interact with their clients. These rapid changes meant customers were more willing to accept new procedures and to install new apps as part of the 'new normal' to interact remotely. Seeing this, cyber-criminals introduced new scams and phishing attacks that looked more credible than those in the past leaving customers more susceptible.

Fortunately, McAfee Mobile Security is able to detect this new threat as Android/Banker.BT. To protect yourself from this and similar threats:

  • Employ security software on your mobile devices
  • Think twice before downloading and installing suspicious apps especially if they request SMS or Notification listener permissions.
  • Use official app stores however never trust them blindly as malware may be distributed on these stores too so check for permissions, read reviews and seek out developer information if available.
  • Use token based second authentication factor apps (hardware or software) over SMS message authentication

Interested in the details? Here's a deep dive on this malware

Behavior: Carefully guiding the victim to provide their credentials

Once the malicious app is installed and started, the first activity shows a message in Spanish that explains the fake purpose of the app:

- Fake Tool to report fraudulent movements that creates a sense of urgency:

'The 'bank name has created a tool to allow you to block any suspicious movement. All operations listed on the app are still pending. If you fail to block the unrecognized movements in less than 24 hours, then they will charge your account automatically.

At the end of the blocking process, you will receive an SMS message with the details of the blocked operations.'

- In the case of the Fake ATM failure tool to request a new credit card under the pandemic context, there is a similar text that lures users into a false sense of security:

'As a Covid-19 sanitary measure, this new option has been created. You will receive an ID via SMS for your report and then you can request your new card at any branch or receive it at your registered home address for free. Alert! We will never request your sensitive data such as NIP or CVV.'This gives credibility to the app since it's saying it will not ask for some sensitive data; however, it will ask for web banking credentials.

If the victims tap on 'Ingresar' ('access') then the banking trojan asks for SMS permissions and launch activity to enter the user id or account number and then the password. In the background, the password or 'clave' is transmitted to the criminal's server without verifying if the provided credentials are valid or being redirected to the original bank site as many others banking trojan does.

Finally,a fixed fake list of transactions is displayed so the user can take the action of blocking them as part of the scam however at this point the crooks already have the victim's login data and access to their device SMS messages so they are capable to steal the second authentication factor.

In case of the fake tool app to request a new card,the app shows a message that says at the end 'We have created this Covid-19 sanitary measure and we invite you to visit our anti-fraud tips where you will learn how to protect your account'.

In the background the malware contacts the command-and-controlserver that is hosted in the same domain used for distribution and it sends the user credentials and all users SMSmessages over HTTPS as query parameters (as part of the URL) which can lead to the sensitive data to be stored in web server logs and not only the final attacker destination. Usually,malware of this type has poorhandling of the stolen data, therefore, it's not surprising if this information is leaked or compromised by othercriminal groups which makes this type of threateven riskier for the victims. Actually,in figure 8 there is a partial screenshot of an exposed page that contains the structure to display the stolen data.

Table Headers: Date, From, Body Message, User, Password, Id:

This mobile banker is interesting due it's a scam developed from scratch that is not linked to well-known and more powerful banking trojan frameworks that are commercialized in the black market between cyber-criminals. This is clearly a local development that may evolve in the future in a more serious threat since the decompiled code shows accessibility services class is present but not implemented which leads to thinking that the malware authors are trying to emulate the malicious behavior of more mature malware families. From the self-evasion perspective, the malware does not offer any technique to avoid analysis, detection, or decompiling that is signal it's in an early stage of development.

IoC

SHA256:

  • 84df7daec93348f66608d6fe2ce262b7130520846da302240665b3b63b9464f9
  • b946bc9647ccc3e5cfd88ab41887e58dc40850a6907df6bb81d18ef0cb340997
  • 3f773e93991c0a4dd3b8af17f653a62f167ebad218ad962b9a4780cb99b1b7e2
  • 1deedb90ff3756996f14ddf93800cd8c41a927c36ac15fcd186f8952ffd07ee0

Domains: