BankBot Trojan bypassed Google’s security checks again
BankBot Android Trojan was first discovered in January 2017[1], right after a sample source code of Android banking Trojan was published on dark web forums. Such interesting source codes quickly catch criminals’ attention because such information can be quickly edited and transformed into a customized virus. Shortly after publication of the source code criminals created BankBot Trojan, which managed to deceive Google security scanner and get into Google Play Store. However, by April, researchers already knew about three campaigns associated with this virus[2], and consequently, the malicious applications were taken down from the Store.
However, cyber criminals didn’t stop at this point and replaced these applications with new ones. A Dutch security firm Securify[3] has detected two brand new BankBot campaigns that managed to slip through security checks of the Google Play Store. Once installed, the Trojan shows a bogus login window on top of legitimate banking applications that the user has on the phone. The trojan collects sensitive data by making the user insert the login details into the fake login window. On top of that, the new version of Trojan is capable of locking the device the same way as ransomware does[4], or controlling and scanning incoming messages in order to successfully read verification codes sent by the bank (to bypass two-step verification procedure). It can basically steal login names and passwords used for any application on the phone, including Facebook, Instagram, Twitter, Snapchat, and others. It seems that scammers managed to affect over 424 official and legitimate banking apps, which were allowing users access Barclays, Erste, Volksbank, Eurobank, Santander, and other bank accounts. One of the malicious apps that contained the banking Trojan was called HappyTime Videos 2017, and it was taken down already.
However, it is clear that malware creators found a way to deceive Google’s security service codenamed ad Bouncer, and now the engineers of the giant company are casting around for a way to solve this program and detect applications that contain this Trojan more efficiently. So far it seems that Android users are quite unlucky when it comes to phone security – there are many cases to mention regarding malware in the official Play Store. The store was already compromised by adware, Trojans such as HummingWhale[5], Svpeng or even ransomware. If you want to avoid installing malware from it, you need to learn how to identify critical applications and not let fake reviews and ratings trick you into installing them!
Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.
- ^ Doug Olenick. BankBot created with leaked banking trojan source code. SC Magazine. Breaking news on Cybersecurity, Cybercrime, Industry Insight and Security Product Reviews.
- ^ BankBot Malware Once More Hits Google Play. Softpedia. Latest News & Reviews.
- ^ Niels Croese. Banking malware in Google Play targeting many new apps. Securify Blog. Posts about Cyber Security.
- ^ Charlie Osborne. Lockerpin ransomware steals PINs, locks Android devices permenantly. ZDNet. Technology News, Analysis, Comments and Product Reviews.
- ^ Oren Koriat. A Whale of a Tale: HummingBad Returns. Check Point Blog. Threat Research and Security Insights.
