A new version of the BankBot Android mobile banking malware has snuck into Google Play, targeting apps of large banks including WellsFargo, Chase, DiBa and Citibank.
A mobile threat intelligence collaboration between Avast, ESET and SfyLabs found that the apps target users in the US, Australia, Germany, Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, Dominican Republic, Singapore and the Philippines, looking to spy on users, collect their bank login details and steal their money.
“The new version of BankBot has been hiding in apps that pose as supposedly trustworthy flashlight apps, tricking users into downloading them, in a first campaign,” explained SfyLabs’ Niels Croese and ESET’s Lukas Stefanko, in a joint blog. “In a second campaign, the solitaire games and a cleaner app have been dropping additional kinds of malware besides BankBot, including Mazar and Red Alert.”
Affected apps include Tornado FlashLight, Lamp For DarkNess and Sea FlashLight; Google removed some of the BankBot-carrying apps from the Play Store within days, but several versions remained active until November 17th—long enough for the apps to infect thousands of users, the researchers said.
They also explained that while Google scans and has measures in place for all apps submitted to the Play Store, the authors of mobile banking trojans have started to use special techniques to circumvent those automated detections.
For instance, they have started “commencing malicious activities two hours after the user gave device administrator rights to the app,” the researchers noted. “Also, they published the apps under different developer names which is a common technique used to circumvent Google’s checks.”
Once active, BankBot functions much like other trojans: It overlays a fake user interface on top of the clean banking app when it’s opened by the user. As soon as the user’s bank details are entered, they are then collected by the criminals, and used to carry out bank transfers on the user's behalf.
Further, the BankBot operators can also intercept their victims’ two-factor authentication text messages.
To stay protected, users should deactivate the option in Google Play to download apps from other sources, and before downloading a new app, check its user ratings. Users should also pay attention to the permissions that an app requests: If a flashlight app requests access to contacts, photos and media files, that should be seen as a red flag.