In our Open-Supply Menace Searching, Fast Heal Safety Researchers encountered a banking Trojan named Aberebot able to stealing delicate data from contaminated gadgets, together with monetary and private knowledge.
Malware authors used superior anti-reverse engineering and obfuscation methods to keep away from detection. From our investigation, the faux malicious utility requires some dangerous permissions, as proven in Fig 01:
Fig 01. Advanced permissions sought by the malware utility
The malware has varied capabilities, together with:
- Amassing contact data.
- Intercepting OTPs from the contaminated system.
- Managing the listing of put in functions from the system.
- Sending SMSs to the contacts primarily based on the instructions acquired from the C2 server.
- Stealing credentials of social media accounts and Banking portals.
- Monitoring the sufferer system by leveraging the BIND_ACCESSIBILITY_SERVICE.
- Utilizing Telegram API to speak with the C&C server hosted on a Telegram bot account.
Final month Android safety researchers went by way of one new banking malware named “Escobar.” This malware is the newest variant of the banking Trojan Aberebot. This malware got here with some new options in its new avatar, however it’s not utilizing Telegram for c2 communication. The principle agenda of this trojan is to trick customers and steal delicate data from victims.
The brand new variant of this malware (Escobar) makes use of a reputation and icon like a authentic app. This malicious APK has the package deal identify “com.escobar.pablo”
Fig 02. Software icon
The operation requests some dangerous permissions, together with:
- Accessibility
- Learn/ write the storage
- Ship SMS
- Get Account
- Disable Keyguard and so forth.
It additionally has capabilities that steal delicate knowledge reminiscent of contacts, SMS, name logs, and system location. In addition to recording calls and audio, the malware additionally deletes information, sends SMS, makes calls, and takes photos utilizing the digicam primarily based on the instructions acquired from the C&C server from malware authors.
The Escobar malware has some new further options.
- It makes use of VNC Viewer to remotely management the display screen of an contaminated system.
Fig 03. VNC instructions utilized by Escobar
- The malware tries to steal Google authenticator codes on the malware creator’s command.
Fig 04. 2FA code stealing.
- Escobar can even kill itself every time it will get the instructions from the C&C server.
Fig 05. Code used to abort.
Banking malware additionally used varied themes to trick the customers. We’ve seen some functions pretending to be banking reward functions and utilizing the authentic Indian banking functions icon.
Fig 06. Software icon
The malware can steal credit score/debit card data, web banking passwords, and SMS to learn/submit one-time generated passwords on the sufferer’s behalf.
Fig 07. Asking for card particulars.
All the information is encrypted earlier than sending it to the C2 server. These malicious functions can execute instructions on the sufferer’s system transmitted by the malware authors like importing SMS, name logs, and so forth.
When all of the SMSs have been uploaded to the C2 server, the malware can even delete all of the SMSs from the sufferer’s cell system.
Fig 08. Code used to delete SMS
Fast Heal Detection
Fast Heal detects these malicious functions with variants of “Android.Agent” and “Android.Banker” identify.
Indicator of Compromises (IOCs):
One ought to have trusted AVs like “Fast Heal Cell Safety for Android” to mitigate such threats and shield you from downloading malicious functions in your cell system.
CONCLUSION:
As illustrated above, baking malware makes use of new methods to lure customers by utilizing icons of authentic functions. These banking Trojans could cause a lot hurt to the contaminated gadgets. These kinds of banking Trojans are bought by Menace actors on darkish net boards and use varied web sites and third-party shops for spreading. Customers ought to pay attention to such faux claims and never obtain and set up such functions from untrusted sources.
TIPS TO STAY SAFE
- Obtain functions solely from trusted sources like Google Play Retailer.
- Don’t click on on any hyperlinks acquired by way of messages or every other social media platforms as they might be deliberately or inadvertently pointing to malicious websites.
- Learn the pop-up messages you get from the Android system earlier than accepting/permitting any new permissions.
- Malware authors spoof authentic functions’ names, icons, and developer names. So, be extraordinarily cautious about what functions you obtain in your telephone.
- For enhanced safety of your telephone, all the time use antivirus like Fast Heal Cell Safety for Android.
Akshay Singla
