Revive Android trojan impersonates BBVA bank 2FA application

The banking trojan targets users of Spanish Financial services posing as a two-factor authentication app

Android banking trojanThe malware impersonates the 2FA application needed for the bank account login to collect personal details and credentials

Android banking malware dubbed Revive was discovered to impersonate the two-factor application needed to login into the BBVA bank accounts in Spain. This trojan follows the campaign targeting the bank instead of trying to compromise its customers.[1] It seems that this malware is in the development stage, but functions are advanced and can intercept the authentication process, according to the Italian cybersecurity researchers in the Cleafy team.[2]

It was observed back on June 15th this year and is mainly distributed via phishing[3] campaigns. The threat can restart if the malware stops working suddenly, so particular operations can be revived, hence the name of the banking trojan. It is tailored to target the Spanish Bank particularly.

The infection is available for downloading on various phishing pages and rogue platforms. This is how users get tricked into installing the application because malware is posing as the application for the BBVA bank that is required for the two-factor authentication. It seems that the author only tweaked available Teardroid code[4] and incorporated new features before releasing this new malware into the wild.

Reviving operations if terminated

Researchers named the Android banking trojan this for the particular function of restarting itself if the process gets disabled. Analysts state that the malware targets particular victims with messages about the requirement to upgrade the bank account safely and push the installation of the 3FA tool that is needed for login to the bank platform normally.

The phishing campaign claims that the needed functionality embedded in the bank application is not meeting security requirements, so the ned tool needs to get installed to upgrade the security state of their banking application and accounts. The program is hosted on a particular website supporting the professional appearance.

The shady website even has a video tutorial showing the instructions for downloading and installing. Once the revive trojan gets installed, it asks for permission to use Accessibility Service,[5] so the complete control of the screen is granted to the criminal. Screen taps and navigation actions can be performed without additional permission from users.

Collecting valuable information from the keystrokes

Users are asked to grant access to SMS and phone calls, so trojan runs in the background as a keylogger and records everything that the user does on the device. Those details get sent to the command and control server periodically, and private information gets collected. Credentials get to the hands of threat actors.

Users eventually get redirected to the generic homepage with links to the legitimate page of the impersonated bank, but the trojan can run tasks of collecting details and credentials further. The threat is mainly designed to log in those credentials via the use of these lookalike pages and takeover bank accounts later on.

The Android malware can intercept SMS messages once they are received on the device. These can be one-time passwords and other two-factor authentication codes sent directly by the legitimate bank service. Usage of the cloned pages and legitimate bank websites allows attackers to collect information for later use. This incident shows that is crucial to exercise caution when downloading applications from random third-party sources.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions