Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This malware disguises itself as a banking app to steal info from Android devices

Android Logo.

Mobile banking customers in Brazil are once again being targeted with malware that can take over their devices, exfiltrate sensitive data and ultimately perform wire fraud.

This is according to a new report from cybersecurity researchers ThreatFabric, who recently spotted the campaign and wrote a technical analysis as a warning. As per the researchers, threat actors known as DukeEugene were sending out phishing emails, in which they tricked the recipients into downloading a dropper for Android, called Rocinante.

This dropper, usually impersonating banking apps and telecommunications firms such as Itaú Shop, Santander, Bradesco Prime, or Correios Celular, asks for permissions upon installation, including the dreaded Accessibility Service. Generally speaking, Accessibility Service permissions are reserved for system apps only, and if a commercial app asks for them, it’s usually a red flag signaling potential malware.

Abusing Accessibility Services

If the victim grants these permissions, they can expect to lose sensitive data, and give the attackers control over their mobile device, since in many cases the malware can serve fake bank login pages:

"This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks," ThreatFabric said in its report. "Finally, it can use all this exfiltrated information to perform device takeover (DTO) of the device, by leveraging the accessibility service privileges to achieve full remote access on the infected device."

The stolen data gets exfiltrated to a Telegram bot, the researchers further explained, where it’s served to the attackers in plaintext, ready to be used.

"The bot extracts the useful PII obtained using the bogus login pages posing as the target banks. It then publishes this information, formatted, into a chat that criminals have access to," ThreatFabric said. "The information slightly changes based on which fake login page was used to obtain it, and includes device information such as model and telephone number, CPF number, password, or account number."

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.