Recently another piece of malware reared its head again inside the Google Play store. The malware was a variant of BankBot, a mobile banking trojan designed to steal user credentials from apps of large banks including WellsFargo, Chase, DiBa and Citibank.
Disguised as a flashlight app inside Google Play Store this particularly application starts off using social engineering techniques to trick a user to install and allow administrative privileges. The malware was able to evade detection by traditional malware scanning tool using a couple of special techniques. The malware waited 2 hours from the time the user granted administrative privileges to begin its malicious activity. Once that 2 hour time is reached the app will download the malicious payload that actually contains the BankBot malware. The malware likely evaded detection via Google Play Protect via the combination of not containing the actual malware payload inside the application and waiting 2 hours to download the malicious code.
Once installed the BankBot malware would listen for a banking app to be launched. Upon launch of a banking app, the malware would overlay a similar looking login screen in front of the banking app, tricking users into entering their account credentials. Once the credentials were captured by BankBot they would be sent off device for potential criminal use.
Many banks attempt to mitigate this kind of credential theft via two-factor authentication mechanisms. In the case of BankBot, the malware can listen for inbound SMS messages that contain the 2-factor authcode and then send it to the criminals along with account credentials, making this a particularly nasty piece of software.
Contextually Aware Analysis is Key
A few weeks ago we introduced the concept of Contextually Aware Security Testing (CAST). CAST expands beyond the limitations of Static and Dynamic Application Security Testing. By crawling applications markets, using Open-Source intelligence and machine-learning, Mi3 RECON can determine how an application fits into The Wild of the ecosystem and if those relationships impact the risk profile of the app. By expanding the scope of risk an application poses beyond just the contents of that application and into how that application relates to other apps and the ecosystem as a whole, CAST techniques are able to build a better picture of the true risk an application poses.
These recent examples of malware evading traditional up-front and one-time application scanning techniques underscore the importance of building a holistic risk profile using more than just the data derived from SAST and DAST testing.
What can you do?
Avoiding malware, particularly that may reside in Google Play can be difficult, however there are a few best practices that should be followed. Be very careful in enabling “Unknown Sources” in the Security Settings. Even though this particular piece of malware was in the Google Play Store, it still required that setting to install the BankBot payload downloaded after the fact. Second is to be very wary of granting Accessibility Service or Administrative Privileges to applications. Lastly, for an organization deploying applications, use a mobile security solution such as Mi3 RECON to understand the risk posture of an application before deploying to your user base.
What To Do Next
Contact us to see a demonstration of the RECON Platform
Watch an overview of the Mi3 Security Portfolio