Android malware is slowly and steadily taking on PC malware. Security firm, FireEye have identified a new Android malware that disguises itself as a “Google Service Framework” and steals the Android users banking credentials. What makes the malware which is RAT (Remote Access Tool) unique is that it uses the Google Service Framework to actually kills an anti-virus Apps running on the Android smart phones and tablets.
FireEye says that the discovery of this HijackRAT banking credentials stealer may be a sign of more more Android-focused banking threats in the future from its developer. FireEye stated in the blog post as,
“In the past, we’ve seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this sample takes Android malware to a new level by combining all of those activities into one app, In addition,” they continued, “we found the hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal. We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed. Right now, eight Korean banks are recognized by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work.”
FireEye tested this malware with eight Korean bank Apps and found that once the malware is installed on the device, the command and control server sends a command to replace the existing bank Apps. Android banking Apps require the installation of ‘com.ahnlab.v3mobileplus’, an antivirus App available on Google Play. FireEye noticed that, the HijackRaT after installation, killed the anti-virus application and then proceeded to replace the banking App. This behaviour allows the RAT to avoid detection post installation both from the AV App or the Android user, who is under the impression that the banking App he/she is using is genuine.
Explaining the modus operandi of this RAT, the Blog says,
“The package name of this new RAT (remote access tool) malware is “com.ll” and appears as “Google Service Framework” with the default Android icon, Android users can’t remove the app unless they deactivate its administrative privileges in ‘Settings.’ So far, the Virus Total score of the sample is only five positive detections out of 54 AV vendors. Such new malware is published quickly partly because the CNC server, which the hacker uses, changes so rapidly.”
The working of the malware is given in a detailed analysis on FireEye blog however we attempt to briefly explain its working. Once the App containing the malware payload is installed, Google Services icon appears on the home screen. When the Android user clicks that icon, a new screen pops up requesting administrative privileges like any other Android App. Once the user accepts and grants the malware the privileges, the uninstall option is disabled and a new service named “GS” is started. However this is only a camouflage for the malware, if the user clicks the GS icon, the device throws up a “App isn’t installed” message and then removes itself from the homescreen. Now the HijackRAT is in operation and if the user is online, within minutes the App connects with the command and control server located in Hong Kong and receives a task list from it. FireEye says its has traced the IP address to Hong Kong but has not identified the author/owner of the malware but based on the malware’s user interface, they believe both the malware is probably authored by a Korean and targets only Korean users as of now.
“We cannot tell if it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL is named after the device ID and the UUID generated by the CNC server,”
The tasks it is required to do is to try to download an App named after ‘update’ and an abbreviation of the bank’s name from the command and control server, simultaneously uninstalling the original banking app. When the command to ‘update’ is sent from the remote access tool, a similar app – ‘update.apk’ is downloaded from the command and control server and installed on the Android device. The malware also sends all the user details of the owner of the Android device to the C & C server. These details include phone numbers, device IDs, MAC addresses and contact lists available in the smart phone or tablet.
“Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon,”
The rise in banking credentials stealing malware is no surprise but the level of ingenuity and the sophistication in which the malware executes its payload to connect with C & C server is a worrying sign for Google, security analyists and Android community.