One Android banking trojan has borrowed a trick from its desktop counterparts, and besides stealing login credentials from banking apps, this threat also sabotages mobile antivirus applications and prevents them from launching.
For the moment, this Android banking trojan is active only in Germany and targets the mobile apps of 15 German banks.
Discovered by malware analysts at Fortinet and tracked as Android/Banker.GT!tr.spy (Banker.GT for this article), this threat is your run-of-the-mill Android banking trojan.
The one feature that allows it to stand out is its ability to detect the presence of local mobile security applications and block them from starting. The list of Android security software includes the following apps:
To be able to do this, when users install the app tainted with the Banker.GT trojan, the user must give it administrator rights.
Since the crooks behind this malware are currently disguising it as an email client, users might be inclined to give it more permissions than they would be normally comfortable giving another app.
The app has a generic name and icon, pictured below, and once it manages to obtain admin rights, it will delete its icon and continue to work in the background.
After infection, just like most mobile and desktop malware these days, Banker.GT will collect data about the device it infected, such as the device IMEI, model, phone number, or Android build version, and contact an online server and register itself as an active infection.
From here on out, the C&C server will send commands to the newly detected bots. Fortinet researchers were able to discover that the C&C servers are capable of sending the following set of commands:
Since Banker.GT is a banking trojan, the bulk of its functionality is centered around watching the list of active app processes, and detecting when the user starts a mobile banking app.
When this happens, the trojan shows an overlay window on top of the user's normal screen, showing a fake login page. After the user enters his credentials, the malware sends it to its C&C server for storage.
Users shouldn't be safe thinking this threat only targets German users. It's quite easy to create the fake overlay login pages for other apps and target users from other countries. It's most likely that Fortinet discovered this threat in its first stages of distribution and other countries would be targeted in the future.