Active Android malware campaign steals Credit Card and Banking related information from infected devices (November 5, 2015)


Dell SonicWALL Threats Research Team discovered a new Android campaign that aims at stealing Credit Card and Banking related information from infected devices. Malicious apks (Android packages) that are part of this campaign use the official Google Playstore as a conduit to trick victims into entering their Credit Card information, this data is then silently passed onto the attacker. The malicious apks monitor the activity of a few hardcoded apps and try to steal the login information which is then passed to the attacker. Most of these targeted apps are Financial in nature thereby elevating the potency of this threat.

The malicious apps have additional functionality of remotely executing commands that are received via SMS messages as well as transferring device related data to the attackers. This further increases the amount of personal information that can be extracted from the victims.

Infection Cycle

During our analysis we observed a lot of similarities between the malicious apks that are part of this campaign. The permissions requested by each apk during installation is identical:

  • Write Settings
  • Get Tasks
  • Access Network State
  • Internet
  • Send SMS
  • Vibrate
  • Wake Lock
  • Read Contacts
  • Change Component Enabled State
  • Read Phone State

Once installed the malicious apk appears in the app drawer and requests for device administrator privileges. Upon gaining these privileges the app vanishes from the app drawer but still continues to function in the background. The below image illustrates this behavior for one particular apk from this campaign:

Then each malware starts capturing device related information and transmits this to its respective hardcoded server present in the code. The following information is sent as a POST request:

  • Device IMEI
  • Country
  • Android OS version
  • Device model
  • Applications installed – These are picked up from the /data/data folder of the device

Every malware in this campaign has a service named GPService running in the background. The sole objective of this service is to monitor the current activity running on the screen:

Stealing Credit Card information via Google Play

When the victim opens Google Playstore, after a brief moment he sees a screen prompt asking for credit card information. Normally the credit card information prompt is displayed when a user tries to buy a paid app on the Playstore, but in this case the victim sees a prompt a few seconds after he opens the Playstore. In reality this prompt comes from the malicious app as it identifies that the Playstore is opened via GPService. It can be seen in the image below that the credit card prompt is actually coming from the malicious app and not the Playstore but for the victim the transition is seamless:

The fake prompt does not go away even if the victim clicks the Back button, it stays on the screen thereby becoming an annoyance. The Google Play Store app has seen a lot of changes/updates from its inception, for a layman it might appear that credit card information on the opening screen is one of the new updates to the Play Store. It is possible that a victim may enter his credit card information considering this possibility or just to get rid of the prompt out of sheer annoyance. Once the credit card information is entered it is silently transmitted to the attacker’s server as expected:

Stealing Banking credentials

We observed every apk in this campaign to target certain apps that involve credit card expenditures, majority of these were mobile Banking applications. Similar to using Google Play as a medium, the malicious apk monitors the activity of certain hardcoded apps:

Once the victim opens a targeted app (Commonwealth Bank app in this case) the malicious apk shows its own spoofed login screen:

The malicious app sticks with the basic Black and Yellow theme of the legitimate banking app but someone careful enough can spot differences between the two experiences.

We have a few additional observations regarding this campaign:

  • None of the apps we analyzed are currently present on the Official Google Play Store which is good
  • Apart from the package names,hardcoded server addresses and target apps, there is very little change in the code structure
  • We observed the following hardcoded applications that are targeted to be spoofed apart from Google Play:

  • The malicious apps are installed with the names and icons of famous apps to further add to their legitimacy
  • Based on Virustotal data these apps seem to be fairly new with the oldest one being a month and few weeks old:

  • Most of the malicious applications we analyzed were in English apart from one that was in French
  • The banking related component did not work correctly for some apps, this indicates that the campaign is still evolving and we can expect more modules to be added in future

Overall this campaign aims at extracting Credit Card and Banking data from its victims. It is not very widespread as of now but considering the number of targeted apps this campaign can gain momentum in the long run.

Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:

  • GAV: AndroidOS.CStealer (Trojan)
  • GAV: AndroidOS.CStealer_2 (Trojan)
  • IPS: Credit Card Information Stealing Android App Traffic

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.