Attack Vector of Android/Spy.Banker.AIX. Country Specific Malware Aimed at Banking Application
Any application that you have installed on your mobile phone can be a ticking bomb if unprotected. You would not expect a well-known application like QRecorder with its 10,000 installs that it will seize your credentials, steal authorization SMS, and transfer your money to an unknown account. Up until today, almost €78,000 have been stolen.
Setting the Scene
The popular QRecorder application has been available in the Google Play repository for a long time. After the latest update, the application has been trojanized. A trojan horse called Android/Spy.Banker.AIX allows an attacker to perform fraudulent transactions on behalf of the client.
Following many other affairs with compromised applications in Google repository, one may wonder how such content still gets in Google Play. Despite Google’s best efforts, malicious apps can bypass the security measures, mostly because the code is protected with a commercial obfuscator which makes it very hard to analyze.
The attack is country-specific, aimed at customers of Czech, German, Austrian, and Polish banks. The application detects the language of your mobile phone and uses the information to pick a payload. The malware then requests special permission for drawing over other apps (overlay attack). When the permission is granted, QRecorder is ready to receive Firebase commands from a C&C server. The first command will ask for a list of installed applications and pick those with monetizing potential. Obviously, banking applications are ideal targets. If a suitable app is found, a link to encrypted payload is sent. Before downloading, another permission is required to automatically start the download, install, and run the malicious software, which then sets triggers for legitimate banking applications. When the targeted application is launched, a malicious overlay will appear, prompting you to enter your credentials. As the malware has obtained permission to read SMS, too, it now has both factors needed to perform a transaction.
Prevention, Mitigation, Protection
Prevention first – every time you download an application from any repository, make sure you read the reviews and comments section of the app store first. Keep the number of installed applications limited, and when in doubt, do not install anything. If you have QRecorder already installed, uninstall it immediately. If you have any suspicion, contact your bank immediately.
Solution for Banking Applications
For banks and their native banking applications, there is a way to avoid these risks. Checking the integrity of an (updated) application will not help much to prevent this specific type of threat, however, one of the most effective solutions is to check the application’s permissions. To automate this, the bank can embed our ThreatMark’s SDK into their native banking application. Checking the application’s permissions allows banks to react to this kind of zero-day attacks before they actually happen. The compromised application will be also automatically flagged when included in the public list of untrusted applications, and all transaction will be marked as suspicious and sent for manual review.