Bankbot banking Trojan returns to Google Play with a vengeance

The woes for Google Play Store just keep piling up. Once again, I’m sorry to report, the onslaught of infected applications is in full swing, proving how far the tech giant is from protecting consumers. The culprit this time, the Bankbot banking Trojan, is not new, as it has been observed in the wild by security researchers since February. Unfortunately, one of the places it was initially seen in action was the Google Play Store. Now it has returned to the store, proving just how easy it is for certain hackers to repeatedly bypass the vetting process.

In a blog post by ESET researchers, it was detailed how Bankbot had reentered the Google Play Store despite the company removing apps infected with the Trojan in the past. The attack method was complex in nature, as the post states:

The variant we discovered on Google Play on September 4 is the first one to successfully combine the recent steps of Bankbot’s evolution: improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service.

The end result was Bankbot appearing in a malicious app called Jewels Star Classic, which appears to be a deliberate attempt to confuse users looking for the legitimate app Jewels Star. This in turn created a situation in which roughly 5,000 users downloaded the infected app before its removal from the Google Play Store.

So what can victims expect if they accidentally downloaded the Bankbot-infested application?

Upon download, Jewels Star Classic will initially appear to be a normal Android mobile game. After 20 minutes of the first running of the application, however, the malicious software will begin its assault on your system. First the user will be prompted with the below message about enabling a real-sounding but fake service called “Google Service.” (This is not to be confused with the real “Google Play Services,” although, of course, many users will be.)

ESET

The message will not disappear until “OK” is selected, which shows that the Trojan is already beginning to take over your device. Upon selecting “OK,” the user will be taken to the Android Accessibility menu where the malicious “Google Service” option has been inserted, shown in the below image:

ESET

If the user chooses to turn the Google Service option on, they are met with the following permission requests:

ESET

Once these are accepted, the malicious app is now able to carry out its nefarious plans. It will proceed to, under the guise of an “update screen” that covers the actual activity, force the system to install apps from unknown sources, install all of Bankbot’s assets, make Bankbot the default SMS messenger, and finally make Bankbot the device’s administrator.

The Trojan then proceeds to work on stealing banking credentials from the victim. Its method of attack is different than other Bankbot variants in that it will focus entirely on the Google Play app. When a user opens Google Play, Bankbot will force a screen on them that makes it seem like Google is requesting your banking info for records purposes (see below):

ESET

So what can you do to take action against this Trojan? The best course of action is to pay close attention to what gets installed on your device, as well as any apps that ask for absurd permissions. If you notice any unauthorized downloads that didn’t exist before, such as the malicious “Google Service,” take proactive measures to uninstall everything associated with the infected app. Disable device administrator rights for “System update” and then proceed to delete the app and anything else that recently appeared on your device.

This will not be the last we see of Bankbot, as its authors are getting very creative in how they approach their attacks. Stay aware of this nasty little program and also be aware of just what it is you are downloading in app stores.

Photo credit: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Microsoft Teams guest access: How to enable and manage it

Two of the main factors that affect the total cost of an organization’s Microsoft 365…

9 hours ago

Samsung Galaxy Unpacked 2020: Everything you need to know

Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…

13 hours ago

SAN vs. NAS: Detailed comparison of these two storage technologies

SAN and NAS provide dedicated storage for a group of users using completely different approaches…

16 hours ago

Generation 1 virtual machines: Modernize them and bring them up to date

In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…

1 day ago

Free VPNs from Hong Kong with ‘no-log policy’ experience data leak

With these free VPNs based in Hong Kong, you may not be paying any money…

2 days ago

Azure DevOps tips and tricks: Using built-in features

These Azure DevOps tips and tricks come fresh from the field where they have been…

2 days ago