After Big Takedown Efforts, 20 More BankBot Mobile Malware Apps Make It Into Google Play

A flashlight app, fake videos or a fake gaming app? Any one of those could be malicious and harboring a mobile malware app, right there in a trusted official app store. In an ongoing trend, IBM X-Force noted that malicious apps manage to circumvent controls and infiltrate legitimate stores. And this is not about the plethora of adware apps infecting users in the app stores, which has almost become the norm, but rather that banking malware is now turning into somewhat of a resident in Google Play.

BankBot is one of the mobile banking Trojans that has taken to the Play store in the past few months, managing to get through in the guise of widgets and benign apps. After the discovery and takedown of these apps — hundreds of them, to be exact — it seems that BankBot still finds ways to get in and infect unwitting users.

In a recent discovery, IBM X-Force mobile researchers identified at least 20 different malicious Android apps that made it into Google’s Play store delivering BankBot.

Landing a place in official app stores is both effective and profitable for cybercriminals who operate mobile malware. For one, they do not have to invest in the distribution of the malware. They can save on costs associated with spam lists, SMS messaging or sending mass emails, not knowing who would eventually click and bother fetching the app from a third-party store — provided they’ve already enabled side-loading. It’s a longer shot.

Second, malicious apps will get all that much more exposure in an official store, where hundreds of millions of people search for apps daily. Botnets are always a numbers game. Beyond sheer traffic, malware that makes it into the official stores enjoys the trust factor that comes with downloading an app from a legitimate source, likely leading to more app permissions being granted to malicious applications.

Worried about mobile security? You should be. Read the white paper to learn more

A Dangerous, Rising Trend

Bad Android apps making it into the official app store is not new by any means. It appears that criminals manage to find their way into legitimate stores, concealing their malware or including it in app updates that comes later on.

The rising trend is this: While adware and other nuisance apps have been making in into official app stores for the past few years, now we are seeing banking malware increasingly showing up in those trusted download sources. This trend is extremely problematic because it introduces an entirely different threat level to the users of official stores, making them download a mobile banking Trojan, which can inevitably lead to a significant rise in fraudulent financial activity in the weeks and months following the installation.

BankBot — In Store and Ready for Fraud

The BankBot malware emerged in January 2017, initially identified in the wild as Android.BankBot.149, go_p00t, and later named BankBot and Mazain. In essence, all these malware names relate to the same code base that was leaked soon after it was discovered.

According to X-Force research, BankBot affects only Android-based mobile devices at this time. It is part of the overlay class of mobile banking Trojans, which uses fake activity screens on top of legitimate apps to lure users into divulging their banking and payment card credentials. BankBot is geared toward financial fraud, and used by cybercriminals to commit identity theft, account takeover and spamming of the malware to additional devices.

In April 2017, IBM X-Force researchers observed this malware use another notable manner to get into the official Play store. It started out as a benign application purporting to display funny videos. After downloading and executing it, the app would update itself, fetching and installing malware modules into the original application. This effectively turned the once benign app into a mobile banking malware complete with permissions and persistency on the device.

BankBot’s Fraud M.O.

Before mobile malware, cybercriminals looking to take over bank accounts for fraudulent transactions would run into SMS-based two-factor authentication and get stuck.

Those launching phishing attacks saw their attack capabilities quickly decline as more banks adopted out-of-band authentication challenges. To bypass this authentication method, they started writing SMS hijackers, convincing infected PC owners to download those apps to their smartphones. This social engineering worked for a while, but it required resources and a very convincing ploy to make victims enable side-loading and get the malicious app from a third-party store.

This is where mobile banking Trojans such as BankBot came in. They are a one-stop shop for authentication elements cybercriminals typically use to take over an account. The following is the takeover flow for criminals using malware like BankBot.

IBM Trusteer Mobile SDK

It’s important to note that the infection begins on a mobile device, usually unbeknownst to the common user. When the fraud attempt eventually takes place, it happens from an entirely different device. The attacker uses his or her own endpoint to access the victim’s bank’s website to initiate the fraudulent transaction, and the user will not always logically connect the dots and realize the two are linked.

When victims see their phones locked with a fake update message displayed by BankBot, they may think that there’s a technical issue. They could reach out to a local mobile repair shop or call their service provider to ask about it. Even if they do realize they’ve been hit by malware, it’s difficult to know what sort of malware and know that their bank account, and sometimes payment cards, have most likely been compromised at that point.

What makes this worse is that the malware prevents victims from receiving calls, and so prevents banks from being able to contact them about the suspicious transaction. By often resorting to a factory reset, victims unfortunately eliminate forensic information that can be useful for identification and analysis of the infection.

According to X-Force research, BankBot variants have been actively targeting banks in Spain and in France in July 2017. BankBot and the M.O. described in this post were detected and thwarted by IBM Trusteer Mobile SDK. The account takeover phase was detected with holistic cross-channel detection capabilities provided by IBM Trusteer Pinpoint Detect.

IBM Trusteer Mobile SDK
Figure 1: BankBot infected devices per device geography (Source: IBM Trusteer)

Additionally, recent BankBot target lists include banks in Australia, Germany and Romania.

X-Force research noted that BankBot is an overlay Android bot. It monitors for the launch of targeted banking applications on the infected device and then dynamically fetches a matching HTML overlay from its controller’s server. The overlay is presented to users, hiding the original app they may have opened and requesting their online banking credentials, credit card details or login combination. Once entered, the malware sends the details to the attacker in cleartext.

Upon installation, this malware requests app administrator privileges on the device under the guise of a system update. Once installed, the application icon disappears, but the app continues to run in the background. BankBot will not operate if it detects that the infected device is located in CIS countries, alluding to its possible operator’s whereabouts.

BankBot can lock the device’s screen to keep the user out when it is performing fraudulent activity on the victim’s account; to do so, it displays a fake update message on screen to delay access attempts to the device. The malware further possesses data exfiltration capabilities that enable it to hijack incoming SMS messages and forward them to the attacker, thus compromising SMS-based two-factor authentication.

Since it is commercially available in underground forums and code-sharing sites, BankBot targets include a long list of banks across Europe, especially in Spain, Australia, New Zealand and some banks in Argentina. In some cases, the malware targets both Android smartphone and Android tablet versions of the banking apps it is after, depending on the botnet’s operator’s goals.

More to Come?

According to ongoing research by X-Force, mobile malware has been rising in sophistication in the past few years, making it less surprising to see its operators manage to circumvent automated security controls on legitimate app stores.

With various code leaks in the mobile malware scene, the number of malicious actors has also been steadily growing — especially since unlike PC botnets, mobile malware does not require a high level of technical savvy. Together, these factors make for a continually rising threat that now reaches more users than ever, turning them into potential fraud victims.

Indicators of Compromise

X-Force identified the following apps as the malicious BankBot apps that made it into the Google Play store:

APK MD5Package NameDate Entered Google Play
34D70B6A2C2B1B07128726499FAC19B1com.detective.wid22-Jul-17
4D51687ADB3B75DD18DD68A70204AE56com.ak47fl.wid21-Jul-17
FEFACA64DFE0BF6D7081CBBF6A05CCD5com.comfl.wid18-Jul-17
210B717194C265739F055B9D8BF4F5F2com.defl.wid13-Jul-17
0F996382F01E4502BCA36EF48A87BE86com.simfl.wid9-Jul-17
069BF2F0B21DA3579F7C76EF2B9284D1com.safarifl.widg26-Jun-17
5d68069e8d258c796af5011e27c11423com.tactflashlight.widget22-Jun-17
832ABF77D80FD9A204ABBEB7E7CA9E4Acom.spyflashlight.widg17-Jun-17
F4A0D659C8F7F79D0CD629296CA95478com.flashdet.widg17-Jun-17
103AE09A3D86BC1083A7B67C7827F510B1com.ledflash.widg11-Jun-17
1169D0286289A18A2BCF8C1BAFD431B2B7com.flashmarines.widget9-Jun-17
12A36FA1C70BB238A83547580ED013F8F7com.flashwar.widg8-Jun-17
13A1007FCB2F238B1A0E63E6B195446086com.goldflash.widg7-Jun-17
14F16FE16ACD942AA1AF79BE2BD1C1F923com.goldwidg.flashlight5-Jun-17
15B534F3CA69BBDE1299CCDDDCB3591E5Bcom.pwidget.flashlight4-Jun-17
16F59D91BCF3CFC8C94E4345C218D9E41Ccom.eco.fwidget31-May-17
179515BA4A7D3E9113402DE9F858E001A4com.funfl.widUnknown
189698340576e27fd11643e6869a192bd0com.warfl.widgetUnknown
19DF22128F3C66BCC8074538E47DEC7544com.flashpolice.widgUnknown
20A543A7FE67C99EAC11F5E6B8C5F6B5FBcom.flashlight.armyUnknown

Most apps have already been removed from the Play store at the time of this writing. Those that were live at the time of writing were disclosed to Google Play.

X-Force captured some examples of the apps that contained BankBot:

IBM Trusteer Mobile SDK

IBM Trusteer Mobile Research Labs

Banking Malware BankBot in Google Play Store

Mobile malware can turn customers of reputable app stores into fraud victims. IBM Trusteer Mobile SDK customers have full detection of all variants and overlay malware designed for financial fraud with the same M.O. IBM Trusteer Pinpoint Detect offers customers detection via the account takeover module.

Worried about mobile security? Read this white paper

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.