A new Android Trojan that specializes in stealing banking information by intercepting SMS messages has been making the rounds. Researchers at zScaler claimed that the yet unnamed Trojan is circulating as 888.apk.
Trojan appears to be targeting Chinese Android users as many types of malware that came before it, at least for the moment.The Trojan’s forte is sniffing out message having to do with banking and emailing those captured SMS messages to itself.
In both cases the Trojan sends the information to a hardcoded Chinese email service, operated by NetEase, Inc., and a hardcoded Chinese phone number. The Trojan’s SMS communication works both ways, because it can receive commands from the command and control server via SMS. The attacker can simply send a message “intercept#” to start data collection and send another message, “interceptstop#” to stop it. While going through SMS messages, the Trojan also sniffs out a series of keywords: “Pay”, ”Check”, ”Bank”, ”Balance”, and “Validation,” as part of its gathering process.
In addition to intercepting Android users’ text messages, experts from information security company zScaler claim the Trojan can also either stop or interrupt users’ calls and for what it’s worth, send the caller’s number to the attacker via email. It appears there’s also a function for sending stolen information, like the device’s contacts and its SMS data via the web, but the code isn’t fully fleshed out yet.
“[The code] appears to be non-functional in this version and the malware author might still be testing out this feature, as seen by the usage of the private IP address,” Viral Gandhi, a security researcher with the firm wrote. Gandhi concludes his post with a handful of images of the Trojan in action, including SMS messages, contact databases and phone numbers it was able to steal:
Android-based banking Trojans haven’t caught on much in the USA but they’ve been fairly popular in other countries, particularly ones where banks have less stringent authentication measures.
Last fall Brazilian bankers were targeted by two apps that were rigged to resemble banking apps. In actuality the apps were crudely thrown together Trojans designed to phish users’ banking credentials. The new Trojan bears a slight resemblance to a variant of Android malware named HeHe, dug up by FireEye last January, that also stole SMS messages and intercepted phone calls.
110 Reykjavik, Iceland