Android Malware Targeting Indian Banks

Originally published at: https://cloudsek.com/threatintelligence/android-malware-targeting-indian-banks/

Category: Malware Intelligence Industry:
BFSI
Region: India Source*: A2

Executive Summary

CloudSEK’s Customer Threat Research Team discovered a malware sample in the wild (ITW) that targeted the customers of Indian Banks.

Analysis:

Analyzing the APK’s using CloudSEK’s security search engine for mobile applications BeVigil we discovered source code, inner functionality of malware, permissions used and URL endpoints to which malware was communicating.

Delivery:

The malware was delivered upon submitting a form that requested information such as Name, Mobile Number and Email Address.

What’s Exfiltrated?

Analyzing the APK file we discovered the malware is capable of stealing Credit/Debit Card information, net banking passwords and SMS to read/submit One Time generated passwords on the victim’s behalf.

Note: We believe it is an ongoing activity since multiple samples targeting prominent banks from India were discovered in the last 3 months.

Information from Technical Analysis

The malicious app is tricking the victims into giving up their Card details and netbanking passwords by luring them using financial rewards.

The malicious app is using the official logo of Indian banks to trick victims into believing that the app is legitimate , which can be used to redeem reward points.

Device Permissions

The app requires a number of permissions while being installed on an android device. Many of these permissions are classified in the dangerous permissions category.

These dangerous permissions include permission to read the device call logs, read contacts, read SMS, receive SMS, get and authenticate accounts.

These permissions allow the malware to steal sensitive information from the victim’s device, read and receive SMS, get information about the accounts being used on the device, use these accounts for authentication and even create new accounts.

Persistence Mechanism

The app uses intent filters with high priority to know about the device reboot to maintain persistence.

The high priority-999 allows the malware to know about the boot change as soon as there is any change. This allows the malware to restart its broadcast receiver to receive any kinds of broadcasts sent across the system by the device OS or other apps.

Data Exfiltration

The source code to the APK is present at https://bevigil.com/src/in.kotak.rewards/source%2Fsources%2Fin%2Fkotak%2Frewards%2FAutoStartService.java

The malware is exfiltrating all the SMS and Call logs from the Victims device to its C2 server.

It is important to note that all the exfiltrated data is being encrypted before sending it to the C2 server.

Encryption Key used for Encryption

Command & Control

Based on the static code analysis of the malware, we can say that the malware is not just stealing data but could also be used to execute commands sent by the Threat Actor.

These commands can be sent by the attacker to the victim device to make the malware perform certain actions like uploading SMS, call logs to the C2 and even putting the device on Silent Mode.

As the malware takes the audio manager permission during install, putting the victim on silent mode is done just before the Threat Actor tries to use the victim’s credit card to make any purchase or transaction to make the victim not notice the OTP of transaction related SMS.

Once the SMS has been uploaded to the C2, the malware can also delete the SMS, so that the victims can not find the SMS whenever they check their phones.

IOCs

Indicator Type Indicator
FileHash-SHA256 f85199a4960e5e1c4bd7843e767a632e5e41454baffe5056a93c2895682f82f6
FileHash-SHA256 007962b4a6813c099e0f682f2b6691427251dee74c7bf949b901ec0f757eace6
FileHash-SHA256 7e90de4066c81234c54545c2d28071f2c9803e4852d3e9177bd40535fc0698ba
FileHash-SHA256 b9c0f27faecae624455615b90e31169fe2a4a189da36a0ac47c39ad830ba39be
FileHash-SHA256 a054d73ae44caf9a8cadaa50e129bf2d6ecd66a89794e13ccfc68b3b8cdd04f6
FileHash-SHA256 f8677fbacd926fca9fb55239d9491573341c1546cd2ec59e5acc49d43bcf1586
FileHash-SHA256 e03b9badfdd85992c8c9f79e25d5975d08b550206f7beb561c5983b3ff1f36b8
FileHash-SHA256 642ef960b21d719de2adeecfcd4b16ad6cef9e120ebc24c309e0788317970521
Domain bank-app1121[.]herokuapp[.]com
Domain email-verify99[.]herokuapp[.]com
Domain testdata112[.]orgfree[.]com
Domain testchat8564[.]herokuapp[.]com
Domain datasmsalluser[.]in
Domain server5569[.]herokuapp[.]com
1 Like