Anti-virus away! Android banking trojan blocks security apps to evade detection

Fake login forms pop-up in front of legitimate banking apps to steal credentials.

Anti-virus away! Android banking trojan blocks security apps to evade detection

A new Android banking trojan holds up anti-virus solutions to ensure it steals all the financial information it needs from its victims.

Fortinet's security research team says the malware is currently masquerading as an email app. Yeah... one that asks for a whole bunch of administrator privileges, including the right to lock the screen and set storage encryption.

Like other Android banking trojans out there, it also has the ability to receive and send SMS messages. That feature helps the malware to bypass SMS-based two-step verification (2SV) if a user has that feature enabled on their accounts.

Request device administrator rights

Upon successful installation, the malware starts up three services.

The first, known as GPService2, monitors all processes to determine if and when the user loads up a banking app that's included on its list. If it detects that activity, it communicates with its command and control (C&C) server to deliver its payload: a fake login page that pops up over the legitimate banking app to steal credentials.

Some users might detect something's not right and try to launch an anti-virus app. But as Fortinet's research team discovered, this malware won't be having any of that.

The malware detects whether the user is trying to run an anti-virus app, by checking a list which includes:

  • com.qihoo.security
  • com.antivirus
  • com.thegoldengoodapps.phone_cleaning_virus_free.cleaner.booster
  • com.antivirus.tabletcom.nqmobile.antivirus20
  • com.kms.free
  • com.drweb
  • com.trustlook.antivirus
  • com.eset.ems2.gp
  • com.eset.ems.gp
  • com.symantec.mobilesecurity
  • com.duapps.antivirus
  • com.piriform.ccleaner
  • com.cleanmaster.mguard
  • com.cleanmaster.security
  • com.sonyericsson.mtp.extension.factoryreset
  • com.anhlt.antiviruspro
  • com.cleanmaster.sdk
  • com.qihoo.security.lite
  • oem.antivirus
  • com.netqin.antivirus
  • droiddudes.best.anitvirus
  • com.bitdefender.antivirus
  • com.dianxinos.optimizer.duplay
  • com.cleanmaster.mguard_x8
  • com.womboidsystems.antivirus.security.android
  • com.nqmobile.antivirus20.clarobr
  • com.referplish.VirusRemovalForAndroid
  • com.cleanmaster.boost
  • com.zrgiu.antivirus
  • avg.antivirus

If an anti-virus app is detected, the user is returned to the HOME launcher screen.

FDService, the malware's second service, comes with its own targeted app list. It's currently empty, though that list could populate with other banking apps or even social media platforms in the near future.

The trojan's third and final service, AdminRightsService, does exactly what its name implies: request admin rights when the malware launches for the first time.

Currently, the malware is targeting 15 different German mobile banking apps:

German flagWhether the trojan stops there and doesn't add more apps remains to be seen.

As all of the targeted apps are so far in German, the authors could use geolocation to limit their campaign's scope. Perhaps they themselves speak only German and therefore don't want to go through the hassle of translating their fake login pop-ups or dealing with international currencies.

Alternatively, maybe the sky's the limit for these attackers, meaning we'll see similarly malicious apps spread to other colleges.

Acknowledging that uncertainty, it's a good idea for users to download apps only from trusted developers on official app stores. They should also exercise caution around suspicious links and email attachments as well as install a security solution onto their mobile devices.

Finally, users might want to think about not conducting any banking on their mobile phones unless it's absolutely necessary. That way the malware would never be able to steal any of a user's sensitive financial information.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

2 Responses

  1. Technoloman.com

    November 21, 2016 at 6:47 pm #

    Great content here Graham and team… I wonder if that is the list or if it's longer?

  2. SD_bossman

    November 22, 2016 at 2:56 am #

    I don't think there is a reason any app should have the privileges shown in that screen shot. That should be warning #1

Leave a Reply