Microsoft’s security team has warned that data-stealing spyware posing as a banking rewards app is aiming its attacks at Android users.
The virus looks to be an upgraded version of an Android software nastier originally noticed in 2021, and once it has infected a smartphone, it can be remotely controlled by hackers. It was observed during the time robbing Indian bank clients. We’re informed that this most recent variant can steal victims’ two-factor authentication (2FA) messages for bank accounts, account login information, and personally identifiable information (PII) covertly and without being noticed due to its numerous additional backdoor capabilities and significantly improved obfuscation.
When they received a text message claiming to be from the rewards program of the ICICI bank in India, the Microsoft threat hunters began their investigation. The bank’s logo was visible and served as a warning to the customer that their loyalty points
The Microsoft threat hunters started their inquiry after they got a text message purporting to be from the rewards program of the ICICI bank in India. It had the logo of the bank, a warning that the user’s loyalty points were about to expire, and a request to click on a harmful link.
The Redmond team discovered that clicking the link downloaded a bogus and fake banking rewards app that included “TrojanSpy:AndroidOS/Banker.O”. When it is launched, it first asks the user to provide particular rights before requesting their credit card information in order to collect all the other data it has been told to take. One would assume that most individuals would be suspicious if they were requested for their card details immediately away.
The command and control (C2) server of the fake Android app, which is distributed as APK files, is utilized by or connected to 75 other malicious Android applications, according to security experts who used open-source information.
According to the researchers, “some of the malicious APKs also utilize the same Indian bank’s logo as the false app that we analyzed, which may mean that the actors are regularly developing new versions to maintain the campaign.”
fter further investigation, Microsoft learned that the Android malware employs the MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid functions to carry out a variety of nefarious tasks, such as intercepting calls, gaining access to and uploading call logs, messages, contacts, and network information, and changing the Android device’s settings.
These three features also enable the software to keep monitoring the victim’s phone while silently operating in the background.
Though the malicious software may receive and execute a variety of orders from its command server, one in particular — the quiet order, which switches the device into silent mode — is very risky since it enables the attacker to receive, steal, and delete messages without the user’s knowledge.
It’s unfortunate since 2FA, which is frequently transmitted by SMS, is required by banking apps. Therefore, by using the phone’s quiet mode, thieves may take these 2FA messages without the victim’s knowledge, enabling them to access online banking accounts and potentially drain them after they have learnt all the required passwords.
The Security Experts At Microsoft claims:
Users and institutions rely on banks’ two-factor authentication systems to keep their transactions secure, but its capacity to intercept one-time passwords (OTPs) sent through SMS thwarts those processes’ security measures. In the future, it may draw in additional targets thanks to the utilisation of numerous banks and financial companies’ logos.
Additionally, the spyware communicates with its C2 server using the open-source package socket.io.
The Microsoft team states that the malware scrambles SMS orders it receives and decrypts all data it delivers to its remote controllers. Combining Base64 encoding/decoding and AES encryption/decryption techniques are used in this.
Security researchers advise only downloading and installing applications from legitimate app stores to stop this and other data-stealing malware from causing trouble. Additionally, they point out that Android users may disable the “Unknown sources” setting, which stops potentially harmful sources from downloading malware that poses as genuine apps.
In general public opinion, it’s commendable that Microsoft is bringing attention to cybersecurity flaws in other people’s code because doing so will benefit users, but it’s odd to see Redmond making a big deal out of something like this when it consistently downplays the dozens of vulnerabilities it patches in its own products each month.