Mobile Banking Trojans are probably the biggest threat to mobile banking and mobile banking customers. Most mobile banking trojans are Android Banking Trojans and the one thing they all share in common is that they abuse the AccessibilityServices API of the Android OS.
Google is painfully aware that their service, designed to help people with disabilities access their device and the apps on their device, is being abused by bad actors to commit mobile banking fraud on unassuming consumers. To this point, in November 2021, Google introduced new restrictions on the use of the AccessibilityServices API.
Shortly after this, ThreatFabric reported that 0ver 300,000 Android smartphone users downloaded what turned out to be banking trojans after falling victim to malware that bypassed detection by the Google Play app store. This fraudulent activity resulted in significant financial loss for the targeted banks. The ThreatFabric report also noted the that dropper apps used in these attacks all have a very small malicious footprint. The report concluded that this small footprint is a (direct) consequence of the AccessibilityServices API permission restrictions enforced by Google Play.
The Anatomy of an Android Banking Trojan
Android banking trojans are very different than iOS banking trojans. Yes, iOS is a closed ecosystem, but that does not mean there is no iOS malware. In June 2021, Tim Cook said that “Android has 47x more malware than iOS. Why is that? It’s because we’ve designed iOS in such a way that there’s one App Store and all of the apps are reviewed prior to going on the store. That keeps a lot of this malware stuff out of our ecosystem.” More on this in a future blog.
Most Android banking trojans follow the following script:
- the malware is downloaded from a malicious link or from app store.
- the malware masquerades as legit app.
- The first step all Android banking trojans take: Abuse the Android AccessibilityServices API and trick the user into granting full permissions to the malware.
- This allows fraudsters to launch local, on-device attacks on the mobile banking app.
- The attack vectors are a baker’s dozen; overlays, SMS interception, MFA bypass, keylogging, screen recording, … Basically anything the fraudster can think off to harvest the information they need to commit fraud.
- All of which leads to the ultimate goal of the malware; defraud the victim by stealing money.
The Top 10 Mobile Banking Trojans of 2021
These were the top 10 mobile banking trojans of 2021:
- Anubis (next gen)
Android Banking Trojan Timeline
Here’s a overview of some of the top mobile banking trojans from the last couple of years
|Banking Trojan||Description / What it is famous for||Attack Vectors Used|
|Zeus/Zitmo||Zeus is the mother of all banking trojans. Zitmo (Zeus-in-the-Mobile) came out in late 2010. All other mobile banking trojans borrow from Zitmo.||The first malicious program designed to steal mTAN (mobile Transaction Authentication Number) codes and to facilitate credential theft and enables fraud loss.|
|Gustuff||the first Android banking Trojan that heavily relied on Android’s AccessibilityService to power its RAT functionality. ||Abuse AccessibilityServices API; keylogging; browser overlays and even an ATS (Automated Transaction System) on top of the RAT.|
|Anubis||Although no longer officially supported since the conviction of its author, Anubis is still a common choice of criminals when it comes to Android banking malware.||Abuse AccessibilityServices API; overlay attacks;
SMS interception / Call forwarding; keylogging.
|Hydra||Hydra has its roots as a “dropper service”.||Abuse AccessibilityServices API; overlay attacks; screencast capabilities; back-connect proxy option, remote app installation, remote screen locking and the possibility to use Google firebase as command handler.|
|Cerberus||Has taken the place of Anubis as the most “rented” banking malware.||Abuse AccessibilityServices API; exfiltration of PII; RAT feature to perform fraud; steal device screen-lock credentials; steal 2FA tokens from the Google Authenticator application; launch TeamViewer for remote control|
|Ginp||Fork of Anubis||Abuse AccessibilityServices API; SMS Stealer, Overlays, Keylogging, screen capture|
|Eventbot||Masquerades as legit Android apps||Abuse AccessibilityServices API; steal usernames, passwords and intercept two-factor authentication codes sent as text messages|
|Alien||Fork of Cerberus||Abuse AccessibilityServices API; dynamic overlays, remote viewing (TeamViewer), SMS harvesting, device info and contacts harvesting, remote control for app install, start, delete and screen locking, push notifications, prevent malware removal, and more.|
|Ghimob||Masquerades as legit Android apps and once installed targets various apps on the device to carry out fraudulent transactions ||Abuse AccessibilityServices API; screen recording, remotely unlock device, overlay attacks, prevent delete/uninstall and more.|
|Anasta||Masquerades as legit Android apps ||Abuse AccessibilityServices API; steal usernames and passwords, and uses accessibility logging to capture everything shown on the user’s screen, while a records all information entered into the phone|
|TeaBot||Fork of Anasta and masquerades as legit Android apps||Abuse AccessibilityServices API; live broadcast of the device screen. Intercept SMS messages, keylogging, steal Google authentication codes to steal bank details and other sensitive information. Copies behavior of FluBot and Eventbot.|
|Oscorp||Steals funds from the victims’ home banking service, by combining the usage of phishing kits and vishing calls||Abuse AccessibilityServices API; send, intercept and delete SMS messages. Overlay attacks, keylogging and WebRTC protocol abuse capabilities|
|Vultur||Gets installed via Brundilha dropper which masquerades as legit Android app. ||Abuse AccessibilityServices API; Observes everything happening on the device using screen recording based on VNC to harvest PII used to perform fraud.|
|BrazKing||Uses phishing message with malicious URL asking users to update Android OS. (Brazil specific trojan)||Abuse AccessibilityServices API; uses overlay attack to direct session to malicious server to launch credential theft attack.|
|BlackRock||Makes use of Android work profiles to gain admin privileges. ||Abuse AccessibilityServices API; Overlays, keylogging, SMS harvesting, device info harvesting, screen-locking, app icon hiding and prevent delete/uninstall to attack banking apps and commit fraud.|
|Medusa||Takes advantage of several social networks such as Telegram, ICQ or Twitter to store the address of the control server to which the trojan must connect.||Abuse AccessibilityServices API; steals as much data as possible from the infected device, in addition to banking credentials. The theft of text messages helps attackers to carry out fraud after the theft of credentials, while the theft of the contact list enables distribution in new campaigns through spam.|
|ERMAC||Almost fully based on Cerberus, and is being operated by BlackRock actor(s). Masquerades as Google Chrome as well as banking apps, media players, delivery services, government applications, and antivirus solutions like McAfee.||Abuse AccessibilityServices API; steal contact information, text messages, open arbitrary applications, and trigger overlay attacks to swipe login credentials. Clear the cache of a specific application and steal accounts stored on the device.|
|SOVA||The most worrying aspect of this Trojan is that it is designed to launch future Ransomware and DDoS attacks.||Abuse AccessibilityServices API; Uses keylogging, notification manipulation and session cookies theft to commit fraud.|
|FluBot||Tricks users into downloading it by claiming that their smartphone is already infected with that very same malware and that they need to download a security update.||Abuse AccessibilityServices API; steals passwords; bank details and other sensitive information from infected smartphones. FluBot also exploits permissions on the device to spread itself to other victims, allowing the infection chain to continue.|
|Drinik||SMS Phishing malware masquerading as an Income Tax Refund and ask victims to install malicious app. The fake app then asks the user to input all their personal info. When the user clicks “Transfer”, the application shows an error and demonstrates a fake update screen. In the mean time, fraudster generates and renders a bank specific mobile banking screen. The user is then requested to enter the mobile banking credentials which are harvested by the attacker. (India specific malware)||Abuse AccessibilityServices API; dynamic overlays|
|PixStealer||Masquerades as a fake cashback service to target the customers of one specific Brazilian bank. This is a very small app with only one function; transfer all the victim’s funds to account of the bad actor. (Brazil specific malware)||Abuse AccessibilityServices API; PixStealer uses a “less is more” technique: as a very small app with minimum permissions and no connection to a C&C, it has only one function: transfer all of the victim’s funds to an actor-controlled account.|
|MalRhino||The big brother of PixStealer. Masquerades as a fake iToken app and was distributed via Google Play. Harvest device info and uses this to launch attacks on specific Brazilian banking apps. (Brazil specific malware)||Abuse AccessibilityServices API; Collect the installed application and send the list to the C&C server together with the victim’s device info Run banks applications Retrieve pin from the Nubank application|
|Sharkbot||SharkBot hides itself with common names and icons posing as a legitimate application, such as Live TV and MediaPlayer apps||Abuse AccessibilityServices API; Overlay Attacks; steal login credentials and credit card information; intercept/hide SMS messages; keylogging; full remote control of an Android device|
|Anubis (Next Gen)||A modified version of Anubis. Targeting customers of almost 400 financial institutions, cryptocurrency wallets, and virtual payment platforms. It is distributed through a novel way – by stealing the identity of a telecommunication service providers and presenting itself as its “official” account management application. ||Abuse AccessibilityServices API; collects valuable finance-related data such as SMS messages from the victim, log keys, exfiltrate files, monitor the screen, harvest GPS data, and take advantage of other accessibility services enabled on the device.|
I fully expect this list to grow in 2022. Fraudsters are using automated models to attack mobile banking apps and defraud their victims. The only way financial services organizations, banks and fintechs can protect against known and unknown RATs is to deploy a comprehensive security solution like Appdome.
Recommended Security Model to Protect Mobile Banking Apps Against all Mobile Banking Trojans
As most security professionals will say, there is no silver bullet in security. The only good security model is a layered security model. As such, my recommended solution to protect banking apps against all mobile banking trojans is:
- ONEShield – Appdome’s RASP solution that adds anti-debugging, anti-tampering and anti-reversing to the mobile app.
- TOTALCode Obfuscation – fully obfuscates all binary and non-native coding elements in the mobile app.
- TOTALData Encryption – uses AES-256 to dynamically encrypt all the data stored in the application sandbox and throughout the code in preferences, strings, resources, strings.xml values and java class dex files.
- Jailbreak and Root Prevention – prevents an iOS app from running on a jailbroken device and an Android app on a rooted device.
- Secure Communications – prevents the app from connecting to an untrusted server and protects the app against network-based attacks such as Man-in-the-Middle attacks.
- Keylogger Prevention – Auto-detect approved keyboards and stop the use of custom keyboards that may include keylogger software used to exfiltrate keystroke information.
- Detect Accessibility Abuse – Detects any application installed on the device that has too many accessibility services permissions. This privilege escalation is common with all Trojans and RATs.
- Block Android Debug Bridge – Automatically detects Android Debug Bridge (ADB) and prevents the use of ADB for malicious reverse-engineering, debugging, remote shell, etc.
- Block Overlay Attacks – Detect and prevent screen overlays attacks such as Anubis, BankBot, StrandHogg, BlackRock, Cloak&Dagger, Ghimob, Ginp, and MazarBot from displaying a fake screen on top of the app screen.
- Block Magisk Manager – Identifies and blocks the use of Magisk Manager, an advanced root bypass, root hiding app.
- Block Frida Toolkits – Automatically detect and block Frida based toolkits from reverse-engineering and instrumenting a mobile app’s UI and logical flow.
Request a demo of Appdome today learn how to protect your mobile banking apps against all mobile banking trojans.