Banking Trojan Targets Spanish BBVA Bank Customers
In May 2020, the BBVA bank issued a warning about an Android malware campaign where a malicious app was distributed through smishing.
Recently, Cyble Research Labs came across a Twitter Post where a researcher mentioned that this Android malware was spreading through smishing campaigns where it was disguised as official messages from the BBVA bank.
This indicates that the campaign is still live and actively targeting BBVA bank customers.
BBVA bank users have highlighted this campaign on Twitter and posted screenshots of the SMSs forwarded by the Threat Actor (TA). These SMSs contain a message which translates, “Your bank account has been suspended. For your safety, it is mandatory to log in from the BBVA protect app. Download it here“.
Figure 1 shows the SMS received by BBVA bank users.
The TA has designed this campaign to steal the account balance and banking credentials of BBVA bank users. Once the user clicks the phishing link present in the received SMS, it asks the user to download the malicious BBVA Protect app that pretends to be a legitimate BBVA bank application.
Technical Analysis
APK Metadata Information
- App Name: BBVA Protect
- Package Name: com.gallery.become
- SHA256 Hash: caee54ae322d5418f051e468c13a4ec04263f02f8b8bd6b5db34e388dbbb331a
Figure 2 shows the metadata information of an application.
Manifest Description
The malicious application asks for 27 permissions, of which the TA exploits 6. The harmful permissions requested by the malware are listed below:
| Permission | Description |
| RECEIVE_SMS | Allows an application to receive SMS messages |
| READ_SMS | Allows an application to read SMS messages |
| SYSTEM_ALERT_WINDOW | Allows an app to create windows shown on top of all other apps. |
| READ_EXTERNAL_STORAGE | Allows an application to read from external storage |
| RECORD_AUDIO | Allows an application to record audio |
| WRITE_EXTERNAL_STORAGE | Allows an application to write to external storage |
Source Code Review
Apart from the application’s subclass, the rest of the components identified from the Manifest file are missing – indicating that the application is packed.
Upon execution, the malicious application unpacks the DEX file present in the assets folder and then loads the classes. In this case, the dropped dex file’s name is “baq.json” which has all the missing classes.
On installing the application, it loads the URL “hxxps://movil[.]bbva[.]es” into Webview, which redirects the user to the phishing site “hxxps://movil[.]bbva[.]es/apps/woody/index[.]html“.
The phishing site impersonates BBVA bank and asks the users for credentials such as username (NIF, NIE, ID card, or Passport) and password.
After loading the phishing page into Webview, the malware injects the malicious JavaScript files “jscript.js” and “jscript2.js” that are present in the assets folder to steal the account balance information and credentials entered by the victim, as shown below.
The below image showcases the code used by the malware to send account balance information and credentials to the Command and Control (C&C) server -“hxxps://privasol[.]xyz/banzreceiver/receiver[.]php?id=” by injecting JavaScripts.
The malware has defined the SMS Receiver class used to collect incoming SMSs from the victim’s device. The incoming SMSs could contain OTPs, which can be used to bypass the Two-Factor Authentication to steal the money from the victim’s bank account.
The above analysis is the classic example of a sophisticated phishing attack implemented within an Android app that can steal account balance and banking credentials and can intercept SMSs to bypass Two-Factor Authentication.
Conclusion
The campaign has been actively spreading across Spain since 2020 to rapidly target BBVA Bank users. Although the bank has warned its users not to download any application from such SMS links, some users may unintentionally download and log in to the phishing site resulting in them incurring monetary losses and potentially falling victim to financial fraud.
Users should treat such SMSs as untrustworthy to avoid getting infected with this malware and report phishing SMSs to the bank to stop this malware infection chain.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Credential Access | T1412 | Capture SMS Messages |
| Exfiltration | T1567 | Exfiltration over web services |
| Input Capture | T1417 | Input Capture |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| caee54ae322d5418f051e468c13a4ec04263f02f8b8bd6b5db34e388dbbb331a | SHA256 | Hash of the analyzed APK file |
| a58cf4de95d582e079fd7b6252cb9b614563f00c | SHA1 | Hash of the analyzed APK file |
| 0a69fb5ee436640724dbb0dcb256cb3b | MD5 | Hash of the analyzed APK file |
| hxxps://movil[.]bbva[.]es | URL | Phishing URL |
| hxxps://privasol[.]xyz | URL | C&C Server |
| 7394a5b7e15eba380a4add9c6954b15c85cd082bc8e881380cdf3d2b9f5209d9 | SHA256 | Hash of the analyzed APK file |
| f32a8329d1832bd375f55e7aaa7a7b3b67fe2ff7 | SHA1 | Hash of the analyzed APK file |
| 1598dda06539be5641deffbb73ee2bc6 | MD5 | Hash of the analyzed APK file |
| hxxps://bbva[.]movil-es[.]icu | URL | Malware distribution site |
| hxxps://clientesbbvalock[.]com | URL | C&C server |
