Android malware

One Android banking trojan has borrowed a trick from its desktop counterparts, and besides stealing login credentials from banking apps, this threat also sabotages mobile antivirus applications and prevents them from launching.

For the moment, this Android banking trojan is active only in Germany and targets the mobile apps of 15 German banks.

Discovered by malware analysts at Fortinet and tracked as Android/Banker.GT!tr.spy (Banker.GT for this article), this threat is your run-of-the-mill Android banking trojan.

The one feature that allows it to stand out is its ability to detect the presence of local mobile security applications and block them from starting. The list of Android security software includes the following apps:

avg.antivirus
com.anhlt.antiviruspro
com.antivirus
com.antivirus.tabletcom.nqmobile.antivirus20
com.bitdefender.antivirus
com.cleanmaster.boost
com.cleanmaster.mguard
com.cleanmaster.mguard_x8
com.cleanmaster.sdk
com.cleanmaster.security
com.dianxinos.optimizer.duplay
com.drweb
com.duapps.antivirus
com.eset.ems.gp
com.eset.ems2.gp
com.kms.free
com.netqin.antivirus
com.nqmobile.antivirus20.clarobr
com.piriform.ccleaner
com.qihoo.security
com.qihoo.security.lite
com.referplish.VirusRemovalForAndroid
com.sonyericsson.mtp.extension.factoryreset
com.symantec.mobilesecurity
com.thegoldengoodapps.phone_cleaning_virus_free.cleaner.booster
com.trustlook.antivirus
com.womboidsystems.antivirus.security.android
com.zrgiu.antivirus
droiddudes.best.anitvirus
oem.antivirus

To be able to do this, when users install the app tainted with the Banker.GT trojan, the user must give it administrator rights.

Trojan comes disguised as mobile email client

Since the crooks behind this malware are currently disguising it as an email client, users might be inclined to give it more permissions than they would be normally comfortable giving another app.

The app has a generic name and icon, pictured below, and once it manages to obtain admin rights, it will delete its icon and continue to work in the background.

Email app
Email app (via Fortinet)

After infection, just like most mobile and desktop malware these days, Banker.GT will collect data about the device it infected, such as the device IMEI, model, phone number, or Android build version, and contact an online server and register itself as an active infection.

From here on out, the C&C server will send commands to the newly detected bots. Fortinet researchers were able to discover that the C&C servers are capable of sending the following set of commands:

rent&&&: start intercepting all incoming SMS messages;
sms_stop&&&: stop intercepting incoming SMS messages;
sent&&&: send a text message;
ussd&&&: send a USSD request;
delivery&&&: send SMS messages to all contact list numbers;
api_server: change the address of the command and C2 server;
Appmass: send mass text messages
windowStop: add a specified app to the exclusion list so that when the app is launched, the phishing screen is not displayed;
windowStart: delete a specified app from the exclusion list;
windowsnew: download an updated targeted apps list from C2 server;
updateInfo: send information collected from device to C2 server;
freedialog: display a templated-based dialog using Webview;
freedialogdisable: cancel the display of the Webview dialog;
adminPhone: change the phone number used to send SMS messages
killStart: set a password for screenlock;
killStop: clear the password from screenlock;
notification: display a notification with the received parameters.

Since Banker.GT is a banking trojan, the bulk of its functionality is centered around watching the list of active app processes, and detecting when the user starts a mobile banking app.

When this happens, the trojan shows an overlay window on top of the user's normal screen, showing a fake login page. After the user enters his credentials, the malware sends it to its C&C server for storage.

Users shouldn't be safe thinking this threat only targets German users. It's quite easy to create the fake overlay login pages for other apps and target users from other countries. It's most likely that Fortinet discovered this threat in its first stages of distribution and other countries would be targeted in the future.