Researchers have discovered a new variant BankBot malware which steals user’s credit card information.
The malware first discovered in early 2017 which create a fake overlay login screen of banking apps and steals user’s credential
The new variant was seen in a game named Jewels Star Classic created by “GameDevTony” in Google play store, and target Google Play app.
According to ESET researchers “Subsequently dubbed BankBot, the banking trojan has been evolving throughout the year, resurfacing in different versions both on and outside Google Play. The variant we discovered on Google Play on September 4 is the first one to successfully combine the recent steps of BankBot’s evolution: improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service.”
Here the malware waits 20 mins to be active from the first execution of Jewels Star Classic app. Then it shows an alert saying them to turn on Google Service.
After clicking OK, the user is taken to the Android accessibility services where a new service called “Google Service” which was created by the malware is also shown with other legitimate ones.
Clicking on it shows terms and condition which is taken from the original google’s terms and conditions. By enabling this service grants malware to carry out any task it needed.
After enabling the Google Service a fake google service update screen is shown. The malware uses this to execute its next steps by the permissions we granted it.
The malware allows installation of apps from unknown sources, grant administrative privilege to Bankbot, set bankbot as the default messaging app and grant permission to draw over other apps.
By using these permissions whenever the user launches the Google Play app, the malware overlays it with a screen with requesting user’s credit card details and by setting Bankbot as the default messaging it can easily bypass two-factor authentication and steals user’s credentials.
To prevent your device from infection, do follow the instructions below:
- Always switch off “Allow installation from unknown sources” in security settings thereby restricting download apps from a third party and anonymous sources.
- Don’t download attachments from unknown sources.
- Always Use google play store to install apps, don’t use any third party app stores.
- Download apps from verified developers and check their app rating and download counts before installing an app.
- Verify app permission before installing an app.
- Install the best and updated antivirus/anti-malware software which can detect and block these type of malware.