Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Android Banking Malware. Show all posts

Over 467 Apps Hit by the ERMAC 2.0 Android Banking Trojan

 

The ERMAC Android banking virus has been updated to version 2.0, increasing the number of apps targeted from 378 to 467, allowing attackers to steal account passwords and crypto wallets from a much greater number of apps.

Threatfabric researchers found ERMAC in July 2021, notably it is based on the well-known banking trojan Cerberus. Cerberus' source code was released in September 2020 on underground hacking forums after its operators failed an auction. The trojan's goal is to send stolen login credentials to threat actors, who then use them to gain access to other people's banking and cryptocurrency accounts and commit financial or other crimes.

ERMAC is currently available for subscription to members of darknet sites for $5,000 a month, that is a $2k increase over the first release's price, indicating the boost in features and popularity. A bogus Bolt Food application targeting the Polish market is the first malware campaign to use the new ERMAC 2.0 virus. According to ESET researchers, the threat actors disseminated the Android software by impersonating a reputable European food delivery business on the "bolt-food[.]site" website. This phony website is still active. 

Phishing emails, fraudulent social media posts, smishing, malvertising, and other methods are likely to lead users to the false site. If users download the program, they will be confronted with a request for complete ownership of private data.

Following ESET's early discovery, Cyble researchers examined the malware. ERMAC determines whether programs are installed on the host device before sending the data to the C2 server. The answer contains encrypted HTML injection modules which match the application list, which the virus decrypts and saves as "setting.xml" in the Shared Preference file. When the victim tries to run the real program, the injection operation takes place, and a phishing page is displayed on top of the original one. The credentials are forwarded to the same C2 that is responsible for the injections.

The following commands are supported by ERMAC 2.0:

  • downloadingInjections — sends the application list for injections to be downloaded.
  • logs — this command sends the injection logs to the server.
  • checkAP — check the status of the application and transmit it to the server. 
  • registration – sends information about the device.
  • updateBotParams — sends the bot parameters that have been updated.
  • downloadInjection — this function is used to download the phishing HTML page. 

EMAC 2.0 targets financial apps from all over the world, making it appropriate for use in a wide range of nations. A large number of apps supported makes this a dangerous piece of malware, but it's worth mentioning that it would have issues in Android versions 11 and 12, thanks to extra limits implemented by Google to prevent misuse of the Accessibility Service.

Android Banking Malware Spreads Using a Bogus Google Play Store Website

 

An Android banking trojan aimed at Itaú Unibanco has used an unusual technique to spread to devices, the actors created a page that looks remarkably similar to Android's official Google Play app store in order to deceive visitors into thinking they are installing the software from a reliable service. The Trojan poses as Itaú Unibanco's official banking app and uses the same icon as the legitimate app. 

Banco Itaú Unibanco S.A. is a Brazilian financial services firm based in São Paulo. Founded in 2008 by the merging of Banco Itaú and Unibanco, Itaú Unibanco is the largest bank in Brazil, as well as the largest in Latin America and the Southern Hemisphere, and the world's 71st largest bank. It is also one of the world's twenty most valuable banks. It has approximately 33,000 service sites worldwide, 3,527 of which are in Brazil, as well as around 28,000 ATMs and 55 million customers. 

When the user clicks on the "Install" button, they are prompted to download the APK, which is the first indication of fraud. Google Play Store apps are always installed through the store interface, never requiring the user to manually download and install programmes. Cyble researchers examined the malware and discovered that when it is executed, it attempts to launch the genuine Itaú app from the Google Play Store. If that is successful, it will utilize the actual app to carry out fraudulent transactions by modifying the user's input fields.

During installation, the software does not request any unsafe permissions, preventing suspicious or risky detection from AV tools. Instead, it intends to use the Accessibility Service, which is all that mobile malware requires to overcome all security on Android systems. According to a recent research by Security Research Labs, "we are currently dealing with an Android malware Accessibility abuse epidemic, and Google has failed to patch the targeted flaw." As a result, only the user has the ability to detect indicators of abuse and stop the infection before it has a chance to cause harm to the device. 

According to the researchers, if you want to enjoy the ease of mobile e-banking, download the app from the bank's official website or the Google Play Store. Furthermore, apply app updates as soon as they become available, and utilize an AV tool from a reliable vendor. Use a strong password and enable multi-factor authentication on the app to ensure optimal account security.

New Android Banking Malware Targeting Mexican Users to Steal Financial Credentials

 

McAfee Mobile Malware Research Team has discovered an android banking malware targeting Mexican users by posing as a security banking tool or as a banking app designed to report an out-of-service ATM. 

In both scenarios, the banking malware depends on the sense of urgency to tempt targets to use the malicious app. If the target falls into a trap, this banking malware steals authentication factors crucial to accessing accounts on the targeted financial institutions in Mexico.

How does this malware spread?

Scammers use malicious phishing page that provides real banking security tips (copied from the original bank site) to lure potential victims into downloading a malicious app as a security tool or as an app to report out-of-service ATM. 

Researchers believe scammers are targeting android users by scam phone calls, a common methodology in Latin America. Fortunately, this malicious app has not been identified on Google Play yet, it can only be downloaded through a third-party website. 

Here’s how to protect yourself 

During the Covid-19 pandemic, financial institutions adopted various new ways to engage the clients. These rapid changes meant customers were more willing to accept new procedures and to install new apps as part of the ‘new normal’ to interact remotely. Seeing this, cyber-criminals introduced new scams and phishing attacks that looked more credible than those in the past. 

Android banking users in Mexico are advised to be cautious while accessing emails and attachments, and restrict themselves from downloading an app via unsecured websites. Organizations and individuals should keep their systems updated with the latest security patches for the operating systems and applications. They should also enable multi-factor authentication on their accounts, if possible, McAfee Mobile Malware Research Team advised.

Last month, researchers at the security firm ThreatFabric discovered a banking malware dubbed “Vultur” in Android apps downloaded from Google Play, it attempts to steal banking login information. The Vultur malware used code to recognize when a data entry form is being used by the victim then takes a screen grab, and finally begins keylogging. All of the data captured by the malware is then routed to a site specified by its designers.