Topic: Android Malware Pairs Man-in-the-Middle With Remote-Controlled Banking Trojan

[Pez]

Android Malware Pairs Man-in-the-Middle With Remote-Controlled Banking Trojan

Based on the Android malware that we’ve seen so far, one of the principal motivations to develop and spread malware on Android is to gain financial profit. We often see deceptive applications that send SMS messages to premium-rate numbers without the user’s consent or that run man-in-the-middle attacks to forward SMS messages to an attacker with a user’s mTANs (Mobile Transaction Numbers). In the latter case, the attacker uses the information to defeat the two-factor authentication security scheme used by several banks and financial entities around the world. Examples of this last type of threat are the well-known Trojan bankers Zeus and SpyEye, which includes in the latest versions of its PC malware a new module that targets Android. In general, those malicious applications are not complex compared with more sophisticated threats. However, the situation may have changed: With the recent discovery of a new Android malware that has the man-in-the-middle functionality but, unlike Zeus and SpyEye, also can be controlled remotely and can grab the initial password from a mobile device without infecting the user’s PC.

The malicious application targets specific well-known financial entities posing as a Token Generator application. In fact, when the application is installed, the malware uses the logo and colors of the bank in the icon of the application, making it appear more credible to the user:



When the application executes, it shows a WebView component that displays an HTML/JavaScript web page that pretends to be a Token Generator. The web page also appears to be from the targeted bank (same variant of the malware but with different payload):



To get the fake token, the user must enter the first factor of authentication (used to obtain initial access to the banking account). If this action is not performed, the application shows an error. When the user clicks “Generar” (Generate), the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device. The malware finds the list of control servers from an XML file inside the original APK. This information, along with other parameters of the malware, are loaded and stored in another XML file inside the device:



The first two lists are used to run the man-in-the-middle attack because they filter the incoming SMS messages to get only the ones that have mTANs. If the originating address and message body are found in the “catch” list, the content is sent to the default control server. The SMS can also be forwarded to the number specified in the XML if it is configured in the “catch” list with the attribute “toSms.”

As soon as the initial registration is done, the malicious application creates a scheduled system event to program the execution of itself at some point in the future. The time when this event occurs depends on the values “timeConnection” and “period,” which are defined in a configuration file. When this happens, a background service starts that creates and executes a thread which listens for commands sent from control servers. These commands update most of the configuration settings–the server list, the catch/delete list and phone number used to receive the stolen mTANs, and the initial password. However, there are other interesting commands that add self-update or spyware capability to the malware:

1.sendContactList: Obtains the list of contacts stored in the device (name and number) and uses an open-source framework to  serialize the list of contacts to send them to the control server.
2.updateUrl: Contains the URL used to download an APK file in the download folder of the SD card. The APK could be an update of the same malware or another malicious application. Once the APK is downloaded, a custom user interface is loaded with the text and title sent by the control server, to trick the user to install the new application.
 
Android malware that targets financial entities is in constant evolution: From man-in-the-middle attacks we now see more sophisticated, remote-controlled banking Trojans that can get more than one factor of authentication and update itself to, for example, modify a phishing attack to get other required credentials–such as the name or the ID number of the user–to perform electronic fraud. Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear. McAfee Mobile Security detects this threat as Android/FakeToken.A.


Orginal article: Wednesday, March 14, 2012 at 2:37pm by Carlos Castillo

[Samker]

Thanks for info's pal. 



Related to this problem, my recommendation to all SCforum's visitors to install some, at least Free one, protection for Smartphones: http://scforum.info/index.php/board,28.0.html


IME, Avast works perfectly.  

[Pez]

Do you use your Android device for mobile banking? If so, be careful, McAfee has discovered a new Trojan that mimics an online banking app, and sends your login information to criminals. Learn more about this threat here and "share" this post with your friends to help protect them.
 
McAfee warns of Android-based mobile banking Trojan

Android users that use their device for mobile banking could be at risk from a new Trojan that mimics the signing-on process for banking apps but sends the log-in details to criminals, according to security firm McAfee.
 
Previous attempts at creating mobile banking malware have relied on being able to also infect users PCs, said Carlos Castillo, a malware researcher at McAfee Labs.

But the newly-detected FakeTrojan.A will run purely on an Android handset, using a man-in-the-middle strategy to get users to handover their two-factor log on credentials, he warned on a McAfee Labs blog.
 
“[It] can be controlled remotely and can grab the initial password from a mobile device without infecting the user’s PC,” said Castillo.
 
The attacks works by presenting users with a fake token generating screen, designed to look like certain banking applications.
 
Once a user enters the first factor of authentication, the Trojan displays a fake token, while sending the password on to the crooks, along with other details used to identify the device.
 
The Trojan then scans the handsets for so-called mobile transaction authorisation numbers (mTAN), which banks send out via SMS.
 
These mTANs are generated by some online banking systems when a user initiates a transaction, sending the data to the user's mobile handset via SMS.
 
But with the user's initial log-on credentials and an mTAN the attacker will be able to make fraudulent transactions, said Castillo.
 
“Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear,” he added.
 
Previous versions of mobile banking malware, such as Zeus-in-the-mobile – or Zitmo – have sent covert requests to the victim's bank from their infected handsets in order to obtain a mTAN.

http://www.v3.co.uk/v3-uk/news/2159753/mcafee-warns-android-mobile-banking-trojan

[Samker]

Do you use your Android device for mobile banking? If so, be careful, McAfee has discovered a new Trojan that mimics an online banking app, and sends your login information to criminals. Learn more about this threat here and "share" this post with your friends to help protect them.
 
...

I'm not and not planning to do that...