Android Banking Trojan targets Korean users (June 30, 2014)
Dell SonicWALLThreats Research team received reports of an Android malware that steals sensitive information from the victim’s mobile device after infection. We observed specific Korean financial apps being monitored by this malware on the victim’s device making this a very targeted attack.
Infection Cycle
During installation the app requests for the following permissions:
- Send SMS
- Receive Boot Completed
- Internet
- System Alert Window
- Wifi State
- Get Tasks
- Call Phone
- Receive SMS
- Mount Unmount
- Mount Format Filesystems
- Write External Storage
- Read Contacts
- Read SMS
In addition, the app requests Administrator Access to perform some key actions like:
- Forcefully lock the device
- Factory Reset the phone
- Disable the Camera
Upon installation the app appears in the app drawer as googl app stoy. When opened the app displays Program error deleted it! and then abruptly closes.
One may think that the app crashed and got uninstalled but a close examination of the running processes shows that there are 3 services actively running under google app stoy:
Android services are components of an Android app that run in the background performing long running operations with little to no user intervention. Lets examine some of these processes in a bid to uncover the devious motives of this malware.
UploadPhone Service
This service is used for uploading data collected by the malware
- Checks if the device has specific Banking apps installed and sends this information to the server
- Posts the all.zip file located in the temp folder of the mounted SDCard to the server.This file contains all the stolen data
- The same file is named as [phone_number]_npki.zip and sent via Gmail, the credentials for this Gmail account are hard-coded
Uninstall Service
- Checks if AhnLab V3 Mobile Plus 2.0 is installed on the phone, if found it attempts to uninstall this app
- AhnLab V3 Mobile Plus claims to provide protection against fraud/accidents caused by malicious programs when using E-Banking apps
- Based on a user review of this app it appears that some Korean Banking apps force the installation of this app, malware writers have thus taken the precaution of removing this app
SoftService
- Stores a file locally with the server information
- Checks if the app is running on an Android Emulator, if so, it exits
- This is a precaution taken by malware writers to thwart Security Researchers from analysing this malicious app
Broadcast Receiver is an Android component that listens for system-wide events and performs a specified action once that event occurs. The following receivers were seen in the malware:
SystemReceiver
- This listens for two events Boot_Completed and User_Present events, when any of these events occur this receiver launches the services shown in the image below. We have already discussed about few of these services in detail
- Boot_Completed event indicates that the device has booted and User_Present event indicates that the user has unlocked the screen
OpenActivityReceiver
- This listens for Sms_Received event and performs a set of actions
- Personal SMS arriving at the device are relayed to a server at im[Removed]/phon/sms.php
- Commands can be issued to this malware via SMS, following commands were identified:
- ak49 : Content following this command will be written in ak49.txt file and UploadContent service is invoked
- ak40-1 : Write “1” to ak40.txt
- ak40-2 : Delete file ak40.txt
- ak40-anything_else : Checks ak40.txt and if that file contains “1” then mail the contents of the SMS via Gmail to the attacker
- ak60 : Content following this command will be written to sms_name.txt, this file saves the Gmail account to which data is sent
- ak61 : Content following this command will be written to sms_pws.txt, this file saves the password for the Gmail account
Additionally we observed the following:
- The malware has a function bankHijack() which tries to access data of the targeted Banking apps via Shared Preferences. There are many ways that Android provides an app to store data on a device, Shared Preferences is one of them. But if adequate security measures are not taken it is possible for a rogue app to access data stored via Shared Preferences of another app
- The malware stores Bank related information as part of its data collected and uploads this information along with other data
Based on our analysis and observation, both the banking applications as well as the anti-virus solution that the malware targets are catered towards Korean users. These points give a good indication that this is a targeted attack centred towards a specific user-base. The app has a host of features to steal sensitive user information in a stealthy manner with services running in the background. An easy way to verify if your device is infected is to check if there are any running services similar to the ones described in this post.
A potent way to prevent such apps from infecting your device is to install apps only from the Google App Store and think twice before giving an app Device Administrator privileges.
Dell SonicWALL Gateway Antivirus provides protection against this threat via the following signature:
- GAV: AndroidOS.Bankrypt.BT (Trojan)
