The GPlayed trojan that was only revealed earlier this month has already spawned a successor that is capable of targeting the customers of a specific Russian bank.
Dubbed by Cisco Talos GPlayed Banker, the trojan has been specialised to just target customers of the Sberbank AutoPay users. The initial version, which Talos detailed in an 11 October report was much broader in scope with many built-in capabilities including the ability to adapt after being deployed.
One interesting characteristic is the malware will not clean out a bank account nor will it steal from someone who has less than 3,000 rubles in their account. The trojan has not been spotted in the wild, but Talos did obtain and study several samples.
Much like its older brother, GPlayed Banking is disguised as a Google Play Store, is written in .NET and the malware is implemented in a DLL called "PlayMarket.dll."
GPlayed Banking issues its package certificate under a fake name that’s not related to the application’s name, nor the package’s name. Once installed the malware retains numerous permissions over the device essentially giving the trojan full control. However, it only uses those needed to perform its task as a banking trojan along with the ability to remove all the owner’s SMS messages.
To obtain this level of control the malware leads the victim through a series of screens designed to escalate the trojan’s privileges on the device. Even if the user is wise enough to realize something is amiss and hits cancel the already installed malware will keep demanding admin rights every five seconds.
To pull off its criminal act the malware within 900 and 1,800 seconds and then create a WebView screen overlay stating a specific URL is not available. Behind the scenes, however, the WebView will query the bank account for a balance. If it is less than 3,000 the trojan does not act, up to 67,000 rubles the malware will take 1,000 less than the amount available, if more than 68,000 rubles are on hand it will take 66,000.
To finalise the theft/transaction the malware must send along a password to the bank.
"So, the following action is the registration of an SMS handler that will parse any arriving SMS messages and look for the word "??????," which means "password" in Russian. The malware parses the SMS containing that word to extract the password, which will then be injected into the previously created WebView," Talos said.
Talos also believes the malware injects some code to evade the bank’s 3-D Secure authentication mechanism.
Although the initial samples tested were designed to attack only Sberbank customers, Talos believes it would be a simple process to make the trojan effective against other targets.