New malware targets accounts at over 2,200 financial institutions
Co-authored with Nikolaos Chrysaidos, Head of Mobile Threats & Security, Avast
In May 2017, Russian authorities arrested twenty members of a cybercriminal gang who had been using a banking Trojan called “CronBot” to steal over $900,000. The gang hid the Trojan within a host of phony apps, some designed to look like authentic online banking apps, some designed to look like pornography apps. These thieves knew their target demographic: over one million unsuspecting users installed the malware onto their Android mobile devices. The good news is that the villainous gang has been apprehended. The bad news is that the villainous malware is still at large.
Now, we have uncovered and analyzed a new version of the malware, dubbed Catelites Bot, which shares similarities with the malware used for CronBot. While we have no hard evidence that the Catelites actor is linked to Cron, it is likely that Cron members have used the Catalites malware in their campaigns based on what we’ve seen so far. In the past few months, we have seen one or two fake apps per week attacking Android devices to make unsuspecting victims download the malware. Once downloaded, the criminals use very sophisticated social engineering tricks to get credit card information and possibly the ability to get into the victim’s bank account.
How does it get on your device?
While we are still investigating the details of this malware, here is what we know: this malware gets “dropped” onto your device after you download an app from a third-party app store (not official shops like Google Play) or from malicious adware (malvertisements) or phishing sites. Once dropped onto your Android device, the malicious app looks like the icon seen in the screen below and is titled “System Application.”
How does it trick you?
When you click the malicious “System Application” app icon, it will ask you for admin rights. If you grant those permissions, the malware begins its work. The icon for the (fake) app you downloaded disappears and then, three familiar-looking, trusted app icons get dropped onto your home screen: one for Gmail, one for Google Play, and one for Chrome.
The 3 new icons appear on your home screen for Gmail, Google Play and Chrome.
The malware author uses two sophisticated “social engineering” techniques to encourage you to open one of these three apps in order to display a fake overlay that invites you to enter sensitive information like your credit card. Cybercriminals are counting on the fact that you easily input credit card info for respected companies that you likely buy from regularly. Specifically, these techniques are:
- Creating mirror icons of three well-known apps: Gmail, Google Play and Chrome
- Creating a notification that cannot be removed that links you to a fake “sign-in” to your account
By placing these apps on the home screen, the user is more likely to open them, activating the malware so that the criminal can steal sensitive information.
First you click “Google Play Store” notification;
then it asks for your credit card number.
Targeting over 2,200 financial institutions
Worse still, this piece of malware can also go after your bank account login details. This malware has the ability to pose as over 2,200 banks and financial institutions. It does so by adopting the logo and mobile application name of a bank used in the Google Play Store, allowing the author to use simple templates to harvest username and password or credit card information. The overlay is HTML-based and not as sophisticated as other Android banking malware such as LokiBot, Red Alert, or Exobot, but the power here is clearly in the shotgun approach: using simple phishing overlay screens, the criminals are able to target many more users, increasing their likelihood of financial gain.
Above shows examples of the fake overlay screens
that pull in the logos of actual banks.
Once you open your own banking app, the malware activates and places a fake overlay on your actual banking app, tricking you into entering your bank login details and also your credit card info. Once you provide this, they have access to your account and credit card.
If your bank is one of the 2,200 targeted financial institutions, the app pulls in the logo of your bank to make the overlay look official.
Catelites Bot - Airbank example
Furthermore, it appears to have a host of other functions built in, though not yet activated. These include intercepting all incoming and outgoing SMS messages, setting ringer and stream volume to mute, and retrieving all running tasks from other apps. In addition, it can persistently ask for specific admin rights that could wipe data from your device or even lock you out completely.
- Intercepts all incoming and outgoing SMS messages
- Retrieves running tasks, phone number, IMSI, device model, android version, installed applications
- Sets ringer and stream volume to mute so the user doesn’t hear sms notifications
- Hides main application icon from launcher to stay stealthy
Asks for device admin privileges in order to become persistent and get functions like:
- Wipe Data
- Lock the device
Force a new unlock password for the device
- Queries phone numbers from contacts
- Get SMS and MMS message conversations
Sets ringer and stream volume to mute in order to suppress sms notifications:
Asks for device admin privileges in order to become persistent and get functions like Wipe Data, lock the device and force a new unlock password for the device:
Queries phone numbers from contacts:
The Trojan has code to encrypt a big batch of file extensions with AES. The encrypted files will usually be renamed with the original name and a different extension “.cat”.
On December 8th 2017 a single botnet (C&C: 126.96.36.199) obtained 8553 bots in less than a month as shown in the panel of the C&C server.
The panel picture also shows similarities with the panel from the research that GroupIB did together with law enforcement to take down the “Cron” crew. We have no hard evidence linking Catelites actor llyamov to Cron but it is likely that Cron members have used the Catelites malware in their campaigns based on the exact Panel and bot similarities. The screenshot of the panel below also shows how easy it is to adjust the general overlay HTML (inject).