Android users have been warned about another Exobot banking malware source code (v. 2.5) that was leaked online. It was first detected in May 2018 and has been dubbed "Trump Edition." The leak is expected to result in a surge of malicious Android apps given that the malware source code is now available in dark web hacking forums, according to Tripwire.
"The Trojan gets the package name of the foreground app without requiring any additional permissions. This is a bit buggy, still, but works in most cases. The interesting part here is that no Android permissions are required. All other Android banking Trojans families are using the Accessibility ore Use Stats permissions to achieve the same goal and therefore require user interaction with the victim," ThreatFabric security researcher, Cengiz Han Sahin told Bleeping Computer.
It’s no secret that bank websites and banking apps are under constant attack and that using Android Trojans to target baking apps is fairly commonplace. With this new Trump Edition, though, there are two primary concerns for security experts: First, whenever an infected Android device hits a financial institution's website, the overlay attack steals user credentials. Second, the release of any mobile banking malware will quickly ripple across the devices.
An increase in these types of attacks could have long-term implications that would likely impact more than financial institutions. “The data this malware is targeting will impact not only banks and their customers but also ecommerce companies and other industries,” said Ryan Wilk, VP of customer success, NuData Security, a Mastercard company.
“Personally identifiable information extracted from Exobot-infected devices will quickly find its way to the dark web, where it can be used against the account holder’s account, as well as other online accounts.”
This source code leak could spike an increase in overlay attacks, according to Frederik Mennes, senior manager market and security strategy, security competence center at OneSpan. “Malware on the user’s mobile device shows a window on top of the genuine mobile banking app that looks very similar to the genuine app. In this way the malware aims to trick the user into entering his credentials into the overlay window.”