Jump to content
Nytro

Discovered first Win trojan to serve banking Android malware on mobile

Recommended Posts

Discovered first Win trojan to serve banking Android malware on mobile

by paganinip on January 25th, 2014

Android-Malware-255x300.jpg

Symantec experts recently came across a Windows malicious code that attempts to infect connected Android devices serving an Android malware.

Researchers at Symantec antivirus firm have discovered a malicious code that is able to infect Android mobile device with a banking malware during synchronization. The Android malware that was designed to hit Windows user could compromise user’s Smartphone during file transfer, device syncing and backup management operation.

The infection process starts with a trojan, dubbed by security experts Trojan.Droidpak, that drops a malicious DLL and it registers it as a system service. Droidpak then downloads a configuration file from the following remote server:

[REMOVED]s-web.com/iconfig.txt

The file contains the information to download a malicious APK and storing it to the following location on the infected PC:

%Windir%\CrainingApkConfig\AV-cdk.apk

The Android malware detected by the analysts seems to be specifically designed for the Korean population because the malicious APK searches for certain Korean online banking applications on the infected device.

The communication between the mobile device and the compromised PC is realized by a software bridge called Android Debug Bridge (ADB), it is a command line tool that allows the malicious code to execute commands on Android Smartphone connected to the infected computer.

Android-malware.png

The Android Debug Bridge is a legitimate tool included in the Android software development kit (SDK), when victim connect an Android device having USB debugging Mode enabled, it launches installation process and infect the Smartphone dropping the Android Malware. Once the Android malware has infected the device, it installs an app that will appear as a Google App Store.

Android-malware-fake-app.png

Android is the most targeted OS by cyber criminals because its large diffusion, numerous families of malware were created in 2013 to hit mobile users and an increasing number of hack tools was available in the underground to hack such powerful platform.

The peculiarity of Trojan.Droidpak is that for the first time a Windows malware was used to install a banking trojan on a mobile device.

The banking trojan, dubbed as Android.Fakebank.B, implements common features of this category of malware, including SMS interception and “MITM capabilities”. Researchers at Symantec discovered that the Android.Fakebank.B malware sends back data to the following attacker’s server:

[REMOVED]

The experts provided a few suggestions to protect the user’s system from the Android malware while connecting to a windows based computer:

  • Turn off USB debugging on your Android device, when you are not using it
  • Avoid connecting your droid with public computers
  • Only Install reputable security software
  • Keep your System, Softwares and Antivirus up-to-date.

Pierluigi Paganini

(Security Affairs – Android Malware, Banking trojan)

Sursa: https://www.facebook.com/

Link to comment
Share on other sites

Interesanta abordare cu folosirea ADB. Desii sunt 2 filtre de care trebuie sa treaca, potentiala protectie de pe PC + Android. Are doua posibile failing points dar ca metoda de a urca malware-ul pe device, e interesant.

Totusi, nu prea inteleg de ce a trebuit sa faca aplicatia sa arate ca si un play store. Daca vroiau sa fie pornita in majoritatea timpului puteau sa faca un scheduling folosind AlarmManager si servicii.

Orice utilizator android ca unpic de experienta recunoaste aplicatia google play. Aplicatie care e unica pe device. Iti dai seama relativ repede ca ceva nu este in regula, mai ales daca o deschizi si nu are functionalitatea pe care te asteptai sa o aiba.

As fi curios sa vad un raport de dispozitive infectate si care e rata cu care acest malware a reusit sa extraga informatii inainte de a fi eliminat.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...