European Banks targeted by new version of ‘SmsSecurity’ Android malware
In 2014, Trend Micro discovered a cybercriminal operation, called ‘Operation Emmental’, that uses malicious apps to intercept SMS messages and hijack victim’s banking session. They uncovered that the malicious applications were posing as a banking application that supposedly generates one-time passwords (OTPs) in order to trick victims. These fake OTP generators were named as ‘SmsSecurity’. Two years later, Trend Micro researchers discovered new versions of these malicious applications that also capable of allowing remote commands via SMS, including resetting phone’s password, to gain time and empty victim’s bank account while he/she tries to unlock the phone.
A new Trend Micro report shows that they found new variants of this attack that add new malicious functions including remote access via TeamViewer, automatic device rooting, language detection, anti-analysis measures and misuse of Android accessibility features.
How your device gets infected?
Just like other malicious campaigns, ‘SmsSecurity’ is distributed via spam emails spoofing well-known online retailers. When the users click on the malicious link or open the attachment, their device gets infected with the malware. And it gets interesting after the infection!
What happens after the infection?
First of all, malware changes the devices’ DNS settings to redirect victim to a malicious servers controlled by the attackers. Then it installs a rogue SSL root certificate in order to make malicious HTTPS servers trusted by default. When the victim tries to access the bank’s website, he/she instead redirected to malicious site that looks similar to actual bank website. After entering banking account credentials, the victim instructed to install a malicious app that spoofs local banks and poses as a banking app that supposedly generates one-time passwords. Instead it intercepts victims’ SMS messages and send them to the C&C server.
In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number. This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims’ bank accounts.
After launching, the new variant of ‘SmsSecurity’ first checks whether it runs on an emulator or not by accessing the Build.prop file, which contains the build properties of the version of Android installed on the device.
If it is running in one, it will not execute any malicious code to avoid dynamic analysis tools.
Then it asks the victim to activate Android accessibility services for the app in order to simulate user actions such as taps on the screen. The next step is to download and run a third-party rooting tool in order to get root access. After getting it, ‘SmsSecurity’ prevents the system from killing it.
It also installs a TeamViewer QuickSupport app to allow the remote attacker to take over victim’s device. The accessibility service reads the TeamViewer ID, which is stored in a shared file, and sends it to the attacker.
A wide variety of banks in Austria, Romania, Hungary and Switzerland have been targeted by this attack including;
- Aargauische Kantonalbank
- Bank Austria
- Banque Cantonale de Fribourg
- BKB Bank
- Credit Suisse
- Erste Bank
- Glarner Kantonalbank
- Luzerner Kantonalbank
- Ober Bank
- Obwaldner Kantonalbank
- Raiffeisen Bank
- Schaffhauser Kantonalbank
- Zürcher Kantonalbank
How to protect?
Once again, avoiding to click on suspicious links and attachments, and using a mobile security application on your device are always good precautions. Remember that the malicious ‘SmsSecurity’ applications are detected as ANDROIDOS_FAKEBANK, and have the following SHA1 hashes:
* Please subscribe to our free newsletter using the form below to receive latest cyber security news, vulnerability alerts, security updates, malware alerts, how-to guides, data breach and DDoS news, and scam alerts.
745 total views, 1 views today