Malicious Android banker for Serbank (February 24, 2017)


Sonicwall Threats Research team observed reports of another Android banker that targets a specific bank, this time the target is a Russian bank – Serbank.

Infection Cycle

Once the apk is installed and opened we see an overlay that covers the entire screen, this overlay asks for Administrative access and the language used is Russian. There is no way for the user to close this overlay and he is forced to grant the privileges. Upon receiving administrative access however the app displays an error message (shown in the images below) and closes the User Interface. This gives an impression to the user that the app stopped working but in reality the app keeps running in the background.

The app initiates a WebSocket connection with the attacker and uses this protocol to perform further communication:

The app transmits sensitive data stored on the device to the attacker:

  • Sensitive device related data is transmitted to the attackers:
    • IMEI
    • Operator Name
    • Phone number
    • Country
  • User’s contact list:

During our analysis the app attempted to send SMS to Sberbank which is a Russian banking and financial services company. As seen in the image below the app sends a message “balance” to the number 900, this is a facility provided by Sberbank to its customers for checking their balance:

The code in the app is obfuscated to make it difficult for automated tools and security analysts to easily understand/analyze its real motives:

This app has an image for the logo of Serbank in its resources folder:

We installed the official Serbank app on the device but did not see any activity that would use this image. In the past we have seen apps that would show a custom overlay image when a particular targeted app is opened on an infected device, however that was not the case here. Perhaps there will be some additions to this app in the future.

Overall this is yet another targeted Android banker malware that attempts to extract sensitive user information and send SMS messages to perform specific activities.

MD5 with package name com.jfaxw.azatbtvf:

  • a52d34bc0271b5668b42346fec9df662

SonicWALL provides protection against this threat via the following signature:

  • GAV: AndroidOS.Banker.SB (Trojan)

The sample communicated with the following domain/ip:

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.