Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.BankBot.149.origin

Added to the Dr.Web virus database: 2017-01-20

Virus description added:

SHA1:

  • 27806e7f4a4a5e3236d52e432e982915ce636da4

A banking Trojan that targets Android devices. It is distributed under the guise of benign programs, e.g., Google programs with the Play Store icon.

screen Android.BankBot.149.origin #drweb

When launched, Android.BankBot.149.origin prompts the user to grant it administrative privileges and deletes its icon from the home screen.

screen Android.BankBot.149.origin #drweb

The Trojan can receive the following commands from the command and control server:

  • Send SMS – to send SMS;
  • Go_P00t_request – to request administrator privileges;
  • |UssDg0= - to send a USSD request;
  • nymBePsG0 – to request the list of phone numbers from the contact list;
  • |telbookgotext= – to send SMS messages with the text from its command to the entire contact list;
  • Go_startPermis_request – to request additional permissions SEND_SMS, CALL_PHONE, READ_CONTACTS, ACCESS_FINE_LOCATION on devices with Android 6.0 and higher;
  • Go_GPSlocat_request - to get GPS coordinates;
  • state1letsgotxt - to receive an executable file containing a list of attacked banking applications;
  • |startinj= – to display phishing window WebView with content downloaded from the link specified in a command.

Android.BankBot.149.origin checks a mobile device for the presence of the following banking applications and payment systems:

  • Sberbank Online – ru.sberbankmobile;
  • Sberbank Business Online – ru.sberbank_sbbol;
  • Alfa-Bank - ru.alfabank.mobile.android;
  • Alfa-Business – ru.alfabank.oavdo.amc;
  • Visa QIWI Wallet - ru.mw;
  • R-Connect mobile bank – ru.raiffeisennews;
  • Tinkoff – com.idamob.tinkoff.android;
  • PayPal – com.paypal.android.p2pmobile;
  • WebMoney Keeper – com.webmoney.my;
  • ROSBANK Online – ru.rosbank.android;
  • VTB24-Online – ru.vtb24.mobilebanking.android;
  • MTS Bank – ru.simpls.mbrd.ui;
  • Yandex.Money: online payments – ru.yandex.money;
  • Sberbank Onl@n PJSC SBERBANK - ua.com.cs.ifobs.mobile.android.sbrf;
  • Privat24 – ua.privatbank.ap24;
  • Russian Standard mobile bank – ru.simpls.brs2.mobbank;
  • UBANK - financial supermarket - com.ubanksu;
  • Idea Bank – com.alseda.ideabank;
  • IKO – pl.pkobp.iko;
  • Bank SMS – com.bank.sms;
  • OTP Smart – ua.com.cs.ifobs.mobile.android.otp;
  • VTB Online (Ukraine) – ua.vtb.client.android;
  • Oschad 24/7 – ua.oschadbank.online;
  • Platinum Bank – com.trinetix.platinum;
  • UniCredit Mobile – hr.asseco.android.jimba.mUCI.ua;
  • Raiffeisenbank Online – ua.pentegy.avalbank.production;
  • Ukrgasbank – com.ukrgazbank.UGBCardM;
  • StarMobile – com.coformatique.starmobile.android;
  • Chase Mobile – com.chase.sig.android;
  • Bank of America Mobile Banking – com.infonow.bofa;
  • Wells Fargo Mobile – com.wf.wellsfargomobile;
  • TD International – com.wsod.android.tddii;
  • TD Spread Trading – com.directinvest.trader;
  • Akbank Direkt – com.akbank.android.apps.akbank_direkt;
  • Yapı Kredi Mobil Bankacılık – com.ykb.android;
  • ÇEKSOR – com.softtech.iscek;
  • JSC İŞBANK – com.yurtdisi.iscep;
  • İşCep – com.pozitron.iscep;
  • İşTablet – com.softtech.isbankasi.

Information on found matches is sent to the C&C server. The Trojan receives a list of files to be monitored from execution. After one of them is launched, Android.BankBot.149.origin displays WebView on top of the attacked application with a fraudulent authentication form to access the user account. Then the entered information is sent to the server. The following are the examples of such fraudulent authentication forms:

screen Android.BankBot.149.origin #drweb screen Android.BankBot.149.origin #drweb screen Android.BankBot.149.origin #drweb
screen Android.BankBot.149.origin #drweb screen Android.BankBot.149.origin #drweb screen Android.BankBot.149.origin #drweb

Android.BankBot.149.origin also tries to steal bank card information. To do that, it tracks launch of the following programs:

  • WhatsApp (com.whatsapp);
  • Play Store – com.android.vending;
  • Messenger – com.facebook.orca;
  • Facebook – com.facebook.katana;
  • WeChat – com.tencent.mm;
  • Youtube – com.google.android.youtube;
  • Uber – com.ubercab;
  • Viber – com.viber.voip;
  • Snapchat – com.snapchat.android;
  • Instagram – com.instagram.android;
  • imo – com.imo.android.imoim;
  • Twitter – com.twitter.android.

After the launch of one of these applications, the Trojan displays a bogus dialog resembling the one used to make purchases on Google Play:

screen Android.BankBot.149.origin #drweb screen Android.BankBot.149.origin #drweb screen Android.BankBot.149.origin #drweb

When an SMS message arrives, the Trojan turns off all sounds and vibrations, sends the message content to the cybercriminals, and attempts to delete the original messages from the list of incoming SMS messages to hide them from the user.

Android.BankBot.149.origin also sends the server data on installed popular anti-virus software that can interfere with its work. To do that, the Trojan checks the device for the following applications:

  • Anti-virus Dr.Web Light – com.drweb;
  • CM Security AppLock AntiVirus – com.cleanmaster.security;
  • Kaspersky Antivirus & Security – com.kms.free;
  • ESET Mobile Security & Antivirus – com.eset.ems;
  • Avast Mobile Security & Antivirus – com.avast.android.mobilesecurity;
  • Clean Master (Boost&Antivirus) – com.cleanmaster.mguard;
  • 360 Security - Antivirus – com.qihoo.security;
  • AVG AntiVirus FREE for Android – com.antivirus;
  • Antivirus Free - Virus Cleaner – com.zrgiu.antivirus;
  • Super Cleaner - Antivirus – com.apps.go.clean.boost.master;
  • AndroHelm AntiVirus Android 2017 – com.androhelm.antivirus.free;
  • TrustGo Antivirus & Mobile Security – com.trustgo.mobile.security;
  • Sophos Free Antivirus and Security – com.sophos.smse.

News about the Trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android