New Android RAT threatens mobile banking users

News by Tim Ring

What is claimed to be the first mobile malware to combine the unholy trinity of private data theft, banking credential theft/spoofing and remote access, has been discovered by researchers at FireEye.

 The company describes the Android-based remote access Trojan malware - called ‘com.ll' - as “far more dangerous for how it approaches mobile banking data than any previous app”.

In a 1 July blog, FireEye's Jinjian Zhai and Jimmy Su say the RAT can disable mobile anti-virus systems, scan for banking apps installed on the phone and replace them with fakes ones, initiate malicious app updates, steal and send SMS messages, and access the user's contact lists.

“In the past, we've seen Android malware that executes privacy leakage, banking credential theft, or remote access separately,” they say, “but this sample takes Android malware to a new level by combining all of those activities into one app.”

The researchers say that the RAT, whose author is Korean-speaking, currently targets the customers of eight Korean banks, scans for banking applications, and contains a partially finished feature called ‘Bank Hijack'.

As a result, they warn: “The hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal. We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed. Right now, eight Korean banks are recognised by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work.”

They conclude: “Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon.”

The malware aims to fool users by purporting to be a ‘Google Services Framework' and encourages them to install it with administrative privileges. Once in, it disables the uninstall option. The malware was detected by only five out of 54 anti-virus system tested.

Commenting on FireEye's report, UK-based malware expert Paco Hope, a principal consultant with Cigital, agreed the malware presents a threat to mobile baking customers worldwide.

He told via email: “Because of its abstraction, it is likely that it will be used to target lots of different banking populations, and will probably be customised by region, language or jurisdiction.”

Hope also highlighted the danger posed by malware's complexity and its attempt to get installed as a ‘Google Services Framework', even if it not available on Google or Apple apps stores.

He told us: “Malware is increasingly sophisticated and similar to commercial software – it leverages modularity, updates and adaptability. Banks and developers of important apps must consider the very real possibility of malware that is specifically written to understand how their good app works, and attacks their app at its weakest points.

“Malware of this nature also highlights the role the app store plays in securing a device. Users who accept apps from sources other than the official stores run a much higher risk of installing malware. For all their faults, the official Google and Apple stores play a significant role in protecting the average user from malware. The dangers of third-party app sources are very real.”

Malware experts at independent UK-based security consultancy MWR InfoSecurity backed Hope's view that the malware is likely to target more than Korean banks.

MWR security consultant Nick Walker told us via email: “The malware sample could be adapted to attack other banks as the functionality to replace entire applications already exists within it. It is a time versus reward investment that ultimately depends on the complexity of the target banking apps, and how stealthy the malware author wishes to be.”

But MWR believes the malware may not pose a widespread threat. Security consultant Henry Hoggard told SC via email: ”It's not likely that this will become a major problem, due to the propagation problems - not on Google Play, which requires third-party app install and social engineering or a separate vulnerability in a highly privileged application. If the malware writer can trick people into installing it, then it is a threat. Outside that, there would need to be another mass vulnerability (like the signing bug), or the malware writer would have to target specific handsets.”

Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews