Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.BankBot.80.origin

Added to the Dr.Web virus database: 2015-10-27

Virus description added:

  • dec7aec692fed8473f0fc3cab1b10726bf9ee107
  • 7c7536ed7a5ff60021398240c0799512fb8c52a4
  • 228963460817b4aaac27e2fcdfc121a20571b099 (detected as Android.SmsBot.472.origin)

An Android Trojan that serves the purpose of stealing money from mobile devices' users. It can be disguised as a harmless application, for example, as an official banking application or a voting program.

Once the malicious program is installed and run, the Trojan makes an attempt to acquire administrator privileges prompting the user again and again to give their consent.

screen Android.BankBot.80.origin #drweb

The Trojan scans the user's contact list sending to all numbers SMS messages that look as follows: Hi! Vote for me http://******konkurs.ru/ (“Привет, проголосуй за меня http://******konkurs.ru/”). The link from such a message leads to a fraudulent website supposedly related to some photo contest. From this website, a modification of Android.BankBot.80.origin detected by Dr.Web as Android.SmsBot.472.origin gets downloaded to the victim's device. Moreover, depending on the operating system of the device, the website offers owners of smartphones and tablets to install a special program for voting.

screen Android.BankBot.80.origin #drweb

While sending spam messages, the Trojan connects to the command and control server at http://****bora.com/api/?id=3 forwarding it information about the infected Android device. The information includes the following data:

  • method=install — request type;
  • &id=FKLKJDFSWXXXXXXXXXXXXXXX — infected device ID, where FKLKJDFSW indicates the parameter from the Trojan's body and XXXXXXXXXXXXXXX indicates IMEI;
  • &operator= — mobile network operator;
  • &model= — model name;
  • &os= — OS version;
  • &phone= — phone number;
  • &imei= — IMEI;
  • &version= — Trojan version;
  • &country= — system language.

After that, Android.BankBot.80.origin waits for further commands from cybercriminals periodically connecting to the remote node to get new instructions. The Trojan can execute the following commands:

  • call_number—forward calls to a specified number;
  • sms_grab—set a time interval for concealing incoming SMS messages (if a message is received during this interval, the Trojan blocks a corresponding system prompt deleting the message);
  • sms_send—send an SMS message;
  • ussd—send a USSD query;
  • delivery—send an SMS message with specific text to all numbers from the contact list;
  • new_url—set a new command and control server address;
  • install_true—save the inst flag changes to the configuration file (AppPrefs).

When the user receives a message, the Trojan forwards information regarding that message to the command and control server. If by using the sms_grab command a time interval for concealing incoming SMS messages has been set, the Trojan blocks the corresponding system prompt deleting the message.

If the delivery command is executed, all incoming calls will be forwarded to +79009999999:

callforward(this.context, "*21*+79009999999#"),

As a result, the victim will not be able to receive incoming calls.

This malicious program can stealthily steal money from mobile accounts, bank accounts, and payment system accounts.

News about the Trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android