Another Android Trojan targeting Korean Banks (July 18, 2014)

Dell SonicWALL Threats Research team published a blog recently about an Android Malware targeting specific Korean Banks. We received reports of yet another Android Malware targeting the same banks and showing similar behaviour to the Malware analyzed earlier. Similar to the previous Malware, this malicious app targets specific Korean banking apps and steals sensitive information from the victim device and sends it to the attacker.

Infection Cycle

During installation the app requests for the following permissions:

• Read SMS
• Write SMS
• Receive SMS
• Send SMS
• Read Contacts
• Write Contacts
• Internet
• Write External Storage
• Access Network State
• Read Phone State
• Receive Boot Completed
• Update App OPS Stats
• Get Tasks
• Vibrate
• Kill Background Processes

In addition, the app requests for Administrator Access

Upon installation the app appears in the app drawer as Google Framework Services. The app shows few characteristics post-installation that are similar to the previous Android malware that we analyzed:

• The app disappears from the app drawer after the user clicks on it the first time
• Service(s) originating from the app are visible in the Running tab even though the app appears to have crashed
• The uninstallation tab is blocked out and its not possible to remove the app directly

The Malware constructs and sends a GET request to the server 103.228.65.101 and in response it receives the command/task that it needs to execute on the victim device. During the time of our writing this blog the server was unresponsive but the below image shows resolveTasks() to be the function that stores the list of tasks the Malware can execute:

Lets understand what actually happens when these tasks are executed by the Malware:

• UploadDetail
  This task gathers sensitive information stored on the device and sends it to the attacker. Some of the information sent includes:
  • Phone Number
  • IMEI number
  • Entire Contacts List

  An interesting information sent is the banklist. As mentioned before, this Malware targets specific Korean banking softwares. If any of these apps are present on the device then an abbreviation is sent for the corresponding app indicating its presence. The target Bank list includes the same banks as that in the previous Malware. Below image shows the information sent with the mentioned banking apps:

  

• PopWindow
  This task replaces the existing targeted banking apps present on the device, but these banking apps require installation of Ahn labs V3 Mobile Plus security solution. Before the banking apps can be replaced, the malicious app needs to kill V3 Mobile Plus which is running in the background:

  

  It then displays the message “The new version has been released. Please use after reinstallation”. It uninstalls the targeted Banking app and replaces it with an app downloaded from the server:

  

• UploadSMS
  This task POSTS the SMS stored on the device to the attacker
• UpdateMe
  The malicious app checks and downloads a new version of itself if available.

Additional observations about the Malware:

• We observed some functions like BankHijack, FilterSms, RunIntents to be incomplete indicating that this piece of Malware might be a work in progress

  

• The Malware targets specific Korean Banks and one of the modules where Contacts on the device are retrieved pays special attention to numbers from China:

  
  This gives strong indications about the possible origin and region specific targets of this Malware campaign

As discussed earlier, we saw a number of similarities between this Malware and the one we analyzed a few days back. At the same time there are few differences that give an indication that this is a next evolved version of the previous Malware strain:

• SMS theft is a new addition in this version of the Malware
• Data was stored on the sdcard in a zipped form in the previous Malware but this version maintains a database. Sensitive user information was retrieved from a database and then sent as a Post request to the attacker
  
  
• Few functionalities are incomplete at the moment

Based on these observations we can expect a more evolved version of the similar Malware targeting similar or more banks in the near future over the Android Malware landscape.

Dell SonicWALL Gateway Antivirus provides protection against this threat via the following signature:

• GAV: AndroidOS.Bankrypt.BH_2 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.