During our routine research operations/activities, Cyble Researchers found a variant of a banking Trojan that spreads through Android applications and steals the user’s sensitive information. Based on a post on Twitter, the fake banking application impersonated the prosecutor’s office of South Korea, with Korea as the primary target.
A banking Trojan is a malicious piece of software designed to gain unauthorized access to confidential information stored or processed through online banking systems. Generally, a Trojan performs malicious activities without the knowledge of the user. It establishes remote access connections, captures keyboard inputs, collects system information, downloads/uploads files in the victim’s machine, drops various malware into the infected system, performs Denial-of-Service (DoS) attacks, and runs or terminates processes.
Among various types of Trojans, attackers extensively use banking Trojans for multiple purposes, such as monitoring user activity and collecting sensitive data. Also known as ‘Spybot,’ these are one of the top 3 preferred malware tools. These banking Trojans pretend to be legitimate applications and spy on targeted victims after installation.
The malware sample we found belongs to the Trojan family and targets Android mobile devices. Once the attacker successfully installs the malware in the victim’s device, it performs various malicious activities listed below:
- Stealing usernames and passwords from online banking services
- Collecting data such as the user’s banking information (cardholder name, card number, CVV, and expiration date).
- Gathering call logs and contacts
- Reading SMS content from the device and storing the data within the device
- Reading SMS notifications received from user’s device.
- Collecting the machine’s information
- Having keylogger functionality
Technical Analysis:
Cyble researchers found a sample of the banking Trojan and performed our technical analysis on it to know more about it. The malware application we used for our analysis is:
e609ac709a6b80b0ceb58c646735fc597db0483ff637e93acf9be028c07900d7
Package Name: com.android.ktspo
Main Activity: pkgflag.cocknut.yummy.MainActivity
We performed the static analysis of the sample and found that the application has been defined with many permissions listed in Figure 1.
Figure 1 Permissions Requested by the App
On performing the dynamic analysis of the sample, the applications launch the main activity and displays the main screen, as shown in Figure 2.
Figure 2 App’s Main Screen
Some of the permissions, services, and receivers that may perform malicious activities are listed below:
Permissions
- android.permission.DISABLE_KEYGUARD
- android.permission.PROCESS_OUTGOING_CALLS
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.INTERNET
- android.permission.ACCESS_FINE_LOCATION
- android.permission.WRITE_CALL_LOG
- android.permission.READ_CALL_LOG
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.RECORD_AUDIO
- android.permission.WRITE_CONTACTS
- android.permission.CALL_PHONE
- android.permission.READ_PHONE_STATE
- android.permission.READ_SMS
- android.permission.SYSTEM_ALERT_WINDOW
- android.permission.CHANGE_WIFI_STATE
- android.permission.RECEIVE_SMS
- android.permission.READ_CONTACTS
Activities:
- pkgflag.cocknut.yummy.MainActivity
- Org.groobe.fuick.KeepActivity66
Services:
- pkgflag.hide.deeper.service.CoreService
- pkgflag.hide.deeper.service.LocationService
- pkgflag.standalone.WindowInService
- pkgflag.standalone.WindowOutService2
- org.groobe.service.LocalService33
- org.groobe.HideForegroundService55
- org.groobe.JobHandlerService44
- Org.groobe.service.RemoteService22
Receivers:
- kgflag.hide.receiver.CallReceiver
- Net.company.NotificationClickReceiver77
Intent Filters by Action:
- android.intent.action.MAIN
- android.intent.action.PHONE_STATE
- android.intent.action.NEW_OUTGOING_CALL
- android.intent.action.USER_PRESENT
The app uses the permissions granted by the users to perform activities on their devices as discussed below:
- Tracking the user’s location from the compromised device
Figure 3 Code for Location Tracking
- Checking for internet connectivity in the infected device
Figure 4 Query on Internet Connectivity
- Recording audio source or media contents from the infected device
Figure 5 Media content collected from the device
- Accessing the private ITelephony interface to use it for blocking phone calls
Figure 6 Blocking Phone calls using Telephony Manager
- Terminating processes at the backend
Figure 7 Killing the processes of the device
- Service/Receivers are registered when the screen is in off status using intent action
Figure 8 Registers the service/receivers when the screen is in off status
- Checking for the network operator name
Figure 9 Query for the Operator name of the network
- Using encryption techniques to encrypt the device information.
Figure 10 Code for encrypting device information
- Using the Outgoing call permission to monitor outgoing calls
Figure 11 Monitoring outgoing calls
- Collecting the list of installed packages from the infected device
Figure 12 Code that fetches the list of installed packages from the device
- Storing the information collected from the device in strings
Figure 13 Collects the lists of information
The sensitive information collected by the malware is sent to the Command-and-Control (C2) server, using the code showcased in Figure 14.
Figure 14 C2 builder using Header Interceptor
C2 link: hxxp[:]//103.147[.]12.89/api/interfaceA
The banking Trojan family has always maintained a simple code format and brought in new campaigns from time-to-time. The challenge associated with the malware is the ease with which the code can be obtained and modified by cybercriminals to launch a sophisticated attack.
Safety Recommendations:
- Verify the privileges and permissions requested by apps before granting access.
- Install mobile applications downloaded only through trusted application stores.
- Keep your antivirus software updated so that it can detect and prevent malware infections.
- Keep your system and applications updated.
- Use strong passwords and enable two-factor authentication during logins.
- People concerned about the exposure of their stolen credentials in the darkweb can register at AmIBreached.com to ascertain their exposure.
MITRE ATT&CK® Techniques- for Mobile
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Credential access | T1412 | Capture SMS Message |
| Discovery | T1430 T1426 T1421 T1424 | 1. Location Tracking 2. System Information Discovery 3. System Network Connections Discovery 4. Process Discovery |
| Collection | T1430 T1412 T1432 T1433 T1429 | 1. Location Tracking 2. Capture SMS Messages 3. Access Contact List 4. Access Call Logs 5. Capture Audio |
| Command and Control | T1573 T1071 T1571 | 1. Encrypted Channel 2. Application Layer Protocol 3. Non-Standard Port |
| Impact | T1447 | Delete Device Data |
| Exfiltration | T1532 | Data Encrypted |
Indicators of Compromise (IoCs):
| IOC | IOC Type |
| e609ac709a6b80b0ceb58c646735fc597db0483ff637e93acf9be028c07900d7 | SHA256 |
| hxxp[:]//103.147[.]12.89/api/interfaceA | Interesting URL |
| 103.147.12[.]89 | Suspicious IP address (communicating IP) |
About Cyble:
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.