The source code of an unnamed Android banking trojan has been recently leaked online via an underground hacking forum, say researchers from security firm Dr.Web.

The Russian antivirus maker says the leaked source code appears to be a high-quality product and the security firm is positive this will attract the attention of many cyber-criminals looking for a base to develop and deploy their own mobile malware.

Android banking trojans are usually sold for thousands of dollars, or rented for similar high fees. The easily availability of this trojan might lead to a surge in banking trojans targeting Android devices, Dr.Web researchers warn.

Leaked source code used for the creation of BankBot

According to the company, the leaked source code has already been taken, tweaked and twisted into a new banking trojan named Android.BankBot, currently seen in live infections.

BankBot phishing screens
BankBot phishing screens (Source: Dr.Web)

The BankBot version detected in the wild appears to target only users of Russian banks. According to Dr.Web, the trojan will lie in hiding until the user opens mobile banking apps or social media apps.

When this happens, the trojan shows fake login overlays, asking the user to reauthenticate or re-enter his payment card details, where appropriate.

BankBot can phish for credentials using overlays for apps such as Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, and the Google Play Store.

This data is collected and sent back to online servers, where the crook can access it via a neatly arranged backend.

BankBot backend
BankBot backend (Source: Dr.Web)

Once the BankBot author has access to user information, he can initiate banking transactions, or sell the user's social media credentials online.

When siphoning money out of a victim's bank account, BankBot will also intercept and silently delete incoming SMS messages, meaning the bank's transaction notification never reaches the user.

Other BankBot features include the ability to send SMS messages and USSD requests, steal the user's contacts list, track the user via GPS coordinates, and request additional permissions via popups for the latest Android OS versions, where the permissions system is more layered and interactive than in previous releases.

Be careful of an app's permissions!

BankBot, the leaked banking trojan on which it based, and most Android malware today all rely on tricking users into granting them administrator rights or similar intrusive permissions.

While tech-savvy Android users will find it suspicious that apps ask for such deep access, most users tend to rush through the app installation process and grant apps all the permissions they request.

Android users are advised to take into consideration an app's functionality during the installation process and avoid granting it permissions it does not need.