Защити созданное

Другие наши ресурсы

Закрыть

Библиотека
Моя библиотека

+ Добавить в библиотеку

Поддержка
Круглосуточная поддержка Правила обращения

Позвоните

Глобальная поддержка:
+7 (495) 789-45-86
Локальная тех.поддержка:
+380 (44) 224-41-60

Форум

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Бесплатно по России:
8-800-333-79-32

Профиль

Android.BankBot.358.origin

Добавлен в вирусную базу Dr.Web:2018-04-05
Описание добавлено:2018-04-05
  • SHA1 packed: 4ad9a7f3a1d9e2549624c41e9a632d63a4e4b44e (Android.BankBot.250)
  • SHA1 unpacked: a8b6f23d881bd30383ca31a8ae1175ee70b9e4be

A banking Trojan for Android mobile devices. It is designed to steal money from Sberbank’s Russian-speaking clients. It is distributed via fraudulent text messages that invite the potential victims to follow the link and supposedly become familiar with the reply to the posted ad or with the information on a loan or a money transfer. Android.BankBot.358.origin is installed on smartphones and tablets as programs of Avito, Visa, Western Union and other popular applications.

screenshot Android.BankBot.358.origin #drweb screenshot Android.BankBot.358.origin #drweb

When launched, the Trojan attempts to get administrative privileges of the mobile device. For this purpose, it displays a dialog in an infinite loop and forces user to provide the required privileges. Then Android.BankBot.358.origin displays a fake message about an installation error and deletes its icon from the list of programs on the home screen, thus hiding its presence in the system.

screenshot Android.BankBot.358.origin #drweb

If an owner of an infected smartphone or tablet tries to recall administrator privileges from the Trojan, Android.BankBot.358.origin prevents it by closing the settings window. Some Trojan modifications also install their own lock screen PIN codes.

Control of the infected devices is implemented via HTTP and GCM (Google Cloud Messaging). It is performed in the administration panel.

After a successful infection, Android.BankBot.358.origin sends to the command and control server a request register that contains the following information about a device:

json.put("sid", this.api_panel_id);
json.put("imei", this.getIMEI());
json.put("country", this.getCountry());
json.put("operator", this.getOperator());
json.put("phone", this.getPhone());
json.put("model", this.getModel());
json.put("version", this.getVersion());
json.put("application", this.context.getResources().getString(2131165185));
json.put("build", this.app_build);
json.put("process_list", process_list);
json.put("apps_list", apps_list);
json.put("method", "register");

The Trojan can execute the following commands:

  • register_ok – receive interception templates for text messages and settings for blocking a screen with phishing windows;
  • GCM_register_ok – confirmation of a successful sending of Google Cloud Message Key to the administration panel;
  • START – launch the Trojan service;
  • STOP – stop the Trojan service;
  • RESTART – restart the Trojan service;
  • URL – change the address of the command and control server;
  • UPDATE_PATTERNS – update all data;
  • UNBLOCK – recall the Trojan’s administrator rights;
  • UPDATE – update the Trojan;
  • CONTACTS – send SMS messages to all contact list numbers;
  • CONTACTS_PRO – send SMS messages to all numbers specified in the command;
  • PAGE – load a webpage with an address specified in the command;
  • ALLMSG – send to the server all saved SMS messages from the device;
  • ALLCONTACTS – obtain information on contacts from the contact list;
  • ONLINE – check the Trojan’s status;
  • NEWMSG – create a fake incoming SMS;
  • CHANGE_GCM_ID – change GCM ID;
  • BLOCKER_BANKING_START – block device’s screen with a fake mobile banking window;
  • BLOCKER_EXTORTIONIST_START – block device’s screen with a ransom demand;
  • BLOCKER_UPDATE_START – block device’s screen with a fake message about system update installation;
  • BLOCKER_STOP – close a screen blocking message.

Depending on the response received from the server, the Trojan makes one of the following requests:

  • "method", "message" – send an SMS from the Trojan’s SQLite database;
  • "method", "gcm_register" – send a registry id GCM to the server;
  • "method", "repeat" – a periodic check for new tasks;
  • "method", "command_receive" – confirmation that a task has been received;
  • "method", "save_contacts_list" – sending of information on contacts from the contact list;
  • "method", "get_message_list" – request for a text of a message for mailing to contacts from the contact list;
  • "method", "save_message_history" – forward all SMS messages saved on a device to the command and control server;

Each request is first encoded with Base64, then it is encrypted with the AES key and converted using the bytes to hex method. The obtained string is sent to the command and control server, which responds the same way with a string with the command. Additionally, the end path for connection with the server is generated randomly or the DynamicSubDomain method is used.

screenshot Android.BankBot.358.origin #drweb

The data obtained by the Trojan and also device information are encrypted and stored in the local SQLite database. It has the following structure:

  • init_imei;
  • api_url;
  • gcm;
  • first_start;
  • init_bootable;
  • patterns;
  • blocker_banking;
  • blocker_banking_autolock;
  • blocker_extortionist;
  • blocker_extortionist_autolock;
  • cardSuccess
  • blocker_banking_success;
  • immunity.

The main goal of Android.BankBot.358.origin is stealing money from the Sberbank’s clients. Cybercriminals send the Trojan a command to block an infected device with a phishing window. It imitates the appearance of Sberbank Online, the remote banking and payment system, and is displayed to all users no matter whether they are Sberbank or another financial organization’s clients. The user is offered to receive a money transfer the sum of which cybercriminals set via the administration panel. To receive the money, the user is invited to provide bank card information: its number, holder’s name, expiration date, and the CVV code. The fraudulent message cannot be closed, so a potential victim is actually forced to provide cybercriminals with the secret information.

screenshot Android.BankBot.358.origin #drweb

If a user uses the Mobile banking service, Android.BankBot.358.origin tries to use it to steal money from the victim’s account. The Trojan sends SMS messages with commands to perform operations in the online banking system. It checks the current balance of the Android device owner’s card and automatically transfers money to the cybercriminals’ bank account, or to their mobile account.

Some versions of Android.BankBot.358.origin can block an infected device with a ransom message demanding that the victim pay a fine for watching prohibited videos. In order to hide their malicious activity, various Trojan’s modifications can also block the screen with a notification that some system update was installed.

News about the Trojan

Рекомендации по лечению


Android

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке

Российский разработчик антивирусов Dr.Web

Опыт разработки с 1992 года

Dr.Web пользуются в 200+ странах мира

Поставка антивируса как услуги с 2007 года

Круглосуточная поддержка на русском языке

© «Доктор Веб»
2003 — 2019

«Доктор Веб» — российский производитель антивирусных средств защиты информации под маркой Dr.Web. Продукты Dr.Web разрабатываются с 1992 года.