A Guide To Banking Trojans, Malware Loaders, And How To Get Rid Of Them

 Banking trojans are one of the most significant headliners in the global threat landscape. You will often see that Google has banned a series of apps for malicious activities. Once done, these marked apps disappear, but another horde of similar camouflaged apps appears to hook victims until they come under the authority scanner. But how do they do this? And how did they achieve their malicious intent? We would try to explain the activities in simple terms.

What is a banking trojan?

For the uninitiated, banking trojans are a specific sort of malware intending to intercept smartphone-installed banking apps and text messages to obtain the victim’s banking login credentials to wipe off the account balance. Many banking trojans are capable of bypassing two-factor authentication systems through SMS. Besides extracting banking usernames and passwords, many banking malware also installs spyware and keylogger software. Many powerful banking trojans are taught to steal money from different mobile banking facilities via overlapping the interface, among other methods. Banking trojans often come in the disguise of legitimate utility apps.   

Read more: Things you should know about Ransomware-as-a-Service (RaaS)

The burgeoning list of banking trojans appearing on Google Play

As the owner of the second most popular operating system on earth, Google’s Threat Analysis Group (TAG) proactively detects and bans a plethora of apps frequently, even though the hoard of malware-ridden apps ushers in on the Android shore every day. 

Bad actors usually target popular categories of apps such as photo and video editors, keyboards with new utilities and convenience, several system maintenance apps, social media apps, wallpaper and ringtone apps, and note-taking apps to distribute malware masquerading as authentic applications. And before Google’s TAG identifies their malicious activities and boots them out of the official Android App Store, they do the intended damage and change their cloak once apprehended.

Instead of carrying malware while installing, these dropper apps, once installed,  download more potent and intrusive malware from a remotely held command-and-communication (C2) server on the victim’s device. The downloaded malware changes according to the lousy actor’s preference. Besides downloading the malicious payload from the pre-instructed server, the dropper executes several actions to take control of the device. 

The most common among them are

Get Device Admin permissions

Modern malware intends to get the device admin permission to ensure they can execute any commands without the user’s knowledge and authentication.

Disabling Google Play protect

It is the most prevalent action that every sophisticated malware prefers to perform because, this way, they can stay away from radars.

Screen overlay

Getting control of the screen overlay feature of a smartphone allows a perpetrator to trick the victim into executing an action the latter believes is beneficial for them. For the uninitiated, screen overlay is a feature that lets an app draw an extra view layer over other apps, and malicious apps commonly exploit the feature to attack users. 

Read more: Countrywide Infection Rate (IR) surges 7%. What’s Next? 

Uninstall Apps

Once the perpetrator gets device admin access, they start uninstalling selective apps on the device that might obstruct their operation. 

Install spyware

Spyware is an essential weapon for threat actors. Nation-state actors use them to gain an undue advantage over enemy nations’ financial, political, and social secrets. In contrast, money-motivated actors often use them to steal financial information, personally identifiable information (PII), user behaviour, etc. In the case of a baking trojan loader, spyware is immensely handy to snitch financial credentials by recording keystrokes and sometimes screen recording and taking screenshots.

The droppers also collect user data such as Android ID, phone number, installed apps, SMS messages, etc.

A checklist of safeguards

Threat actors lure Android users for various reasons, ranging from financial benefits to espionage on high-profile victims, creating backdoors on networks for lodging massive ransomware attacks on enterprises. Therefore, both individuals and employees of enterprises should embrace an extra degree of caution while dealing with Android apps. 

K7 mobile security offers robust, multi-layered protection against all cyberattacks, including malware loaders, downloaders, trojans, phishing, ransomware, SMiShing, malicious websites, PUPs, and other malware. However, besides installing our Android cybersecurity suite on your Android device, we recommend you practice the following actions to outsmart attacks aimed at you or your enterprise.

·         Install all Android and security updates soon after they roll out. Android and device manufacturers’ security updates fix a series of vulnerabilities that the perpetrators could abuse. 

·         Avoid installing apps from third-party app stores, even though they sound tempting, offering free versions of premium apps. These apps deliver malicious payloads or cracked versions of authentic apps injected with malicious scripts. 

·         Use separate and complex passwords of over 12 characters for each app you have installed on your device. We recommend you install a password manager to manage passwords. 

·         Be cautious about clicking on links received via emails and social messaging apps. Many of them are intended to pursue phishing activities and take control of your device. 

Check the permissions you have granted and roll back the unnecessary ones.

Comments

Post a Comment

Popular posts from this blog

MuddyWater Back with DarkBit

Image
 Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. Initial Access Method The initial lure was delivered as an ISO file. The payload included a shortcut file (with a .doc extension) and a zip file. The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool . cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ransomware payload is downloaded with the help of Cobalt Strike. At the time of writing the blog, we were unable...
Read more

CVE-2023-21716: A new Office Exploit

Image
 In Feb-2023, Microsoft (MS) patched a vulnerability in Microsoft Word which, if successfully exploited, could allow an attacker to execute remote code without authentication on victims’ machines. This vulnerability has been assigned CVE-2023–21716 and has a CVSS score of 9.8, making it a critical issue. This vulnerability impacted MS word and the Outlook Preview Pane as well. Microsoft along with the patch released a work around for the vulnerability but did not release details about the vulnerability. While we were analysing to identify what was patched, on 06-March, the researcher who reported the bug released a PoC on Twitter . In this blog, we will be taking a look at some internals of CVE-2023–21716. So far there is no evidence to suggest exploitation of this vulnerability in the wild. Rich Text Format (RTF) is a document file format published by Microsoft. It uses control words to define various sections and properties of the document. CVE-2023–21716 exists in the way MS Wo...
Read more

Reinforcing The Human Layer In Enterprise Cybersecurity

  Enterprise IT ecosystems can be considered to be an amalgamation of digital technology and people. Enterprise cybersecurity largely focuses on the technology layer – various forms of hardware and software. The human layer, however, is now receiving increasing attention from cybersecurity leaders because humans can do what hardware and software cannot – act independently and override hardware and software controls based on their judgement which may be flawed or misguided. Verizon’s 2022 Data Breach Investigations Report reveals that 82% of breaches involve the human element . Strengthening the human layer in enterprise cybersecurity presents a unique challenge as, unlike hardware or software which are available as identical copies with identical weaknesses and solutions when procured in large volumes, people are individuals with varying degrees of awareness, interest, comprehension, conscientiousness, and other attributes that influence their ability to always do the right thing a...
Read more