Android Malware Pairs Man-in-the-Middle With Remote-Controlled Banking Trojan

Based on the Android malware that we’ve seen so far, one of the principal motivations to develop and spread malware on Android is to gain financial profit. We often see deceptive applications that send SMS messages to premium-rate numbers without the user’s consent or that run man-in-the-middle attacks to forward SMS messages to an attacker with a user’s mTANs (Mobile Transaction Numbers). In the latter case, the attacker uses the information to defeat the two-factor authentication security scheme used by several banks and financial entities around the world. Examples of this last type of threat are the well-known Trojan bankers Zeus and SpyEye, which includes in the latest versions of its PC malware a new module that targets Android. In general, those malicious applications are not complex compared with more sophisticated threats. However, the situation may have changed: With the recent discovery of a new Android malware that has the man-in-the-middle functionality but, unlike Zeus and SpyEye, also can be controlled remotely and can grab the initial password from a mobile device without infecting the user’s PC.

The malicious application targets specific well-known financial entities posing as a Token Generator application. In fact, when the application is installed, the malware uses the logo and colors of the bank in the icon of the application, making it appear more credible to the user:

When the application executes, it shows a WebView component that displays an HTML/JavaScript web page that pretends to be a Token Generator. The web page also appears to be from the targeted bank (same variant of the malware but with different payload):

To get the fake token, the user must enter the first factor of authentication (used to obtain initial access to the banking account). If this action is not performed, the application shows an error. When the user clicks “Generar” (Generate), the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device. The malware finds the list of control servers from an XML file inside the original APK. This information, along with other parameters of the malware, are loaded and stored in another XML file inside the device:

The first two lists are used to run the man-in-the-middle attack because they filter the incoming SMS messages to get only the ones that have mTANs. If the originating address and message body are found in the “catch” list, the content is sent to the default control server. The SMS can also be forwarded to the number specified in the XML if it is configured in the “catch” list with the attribute “toSms.”

As soon as the initial registration is done, the malicious application creates a scheduled system event to program the execution of itself at some point in the future. The time when this event occurs depends on the values “timeConnection” and “period,” which are defined in a configuration file. When this happens, a background service starts that creates and executes a thread which listens for commands sent from control servers. These commands update most of the configuration settings–the server list, the catch/delete list and phone number used to receive the stolen mTANs, and the initial password. However, there are other interesting commands that add self-update or spyware capability to the malware:

  1. sendContactList: Obtains the list of contacts stored in the device (name and number) and uses an open-source framework to  serialize the list of contacts to send them to the control server.
  2. updateUrl: Contains the URL used to download an APK file in the download folder of the SD card. The APK could be an update of the same malware or another malicious application. Once the APK is downloaded, a custom user interface is loaded with the text and title sent by the control server, to trick the user to install the new application.

 

Android malware that targets financial entities is in constant evolution: From man-in-the-middle attacks we now see more sophisticated, remote-controlled banking Trojans that can get more than one factor of authentication and update itself to, for example, modify a phishing attack to get other required credentials–such as the name or the ID number of the user–to perform electronic fraud. Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear. McAfee Mobile Security detects this threat as Android/FakeToken.A.