Recent Posts

Recent Blog Posts

The PhishLabs Blog

The Evolution of Mobile Banking Trojans… and What To Do About Them (Part II)

Posted by Joshua Shilko on Aug 15, '17
Find me on:

Android_Marchar_Trojan_PhishLabs.pngIn the last article, we looked at why threat actors have flocked to the mobile space in droves, and which tools they’re using to ply their trade.

And naturally, no discussion of mobile threats would be complete without a detailed look at the most concerning current mobile threat: mobile banking trojans.

Since we’ve already covered the most common functionality, permissions, and distribution mechanisms, it only makes sense to take things a stage further and look at specific banking trojan families. To that end, in this article we’ll be looking at the two of the most widespread families: Marcher and BankBot.

Once we’re through with that, we’ll go over some of the things organizations and individuals can do to avoid falling prey to mobile banking trojans in the future.

Need to fight back against rogue mobile apps that abuse your brand? Click below to find out how PhishLabs can help.

Fight Back!

Super Mario Marcher

First released in 2013, multiple versions of the Marcher mobile banking trojan have been released over the past four years. In many cases Marcher trojans have been disguised as legitimate apps, including Adobe Flash Player and the eagerly awaited Super Mario Run, which was released in early 2017.

Since its release, Marcher has quickly become one of the most widespread banking trojans around, with dozens of variants and close relatives springing up all the time. Among other names, Marcher has also been known as Spy.Banker, BankSpy, MobileSpy, Exobot, and Banker.

As with most malware, the exact functionality of Marcher varies from sample to sample, but as a family, Marcher tends to include a complete range of functions. In almost all cases, Marcher trojans are capable of most (if not all) of the following:

  • Displaying web overlays on top of targeted apps or a target device’s browser
  • Locking the screen with an overlay - This isn’t typically used to deprive the user of access, but rather to permanently display an overlay until login credentials are given up, or alternatively to lock the device while two-factor authentication SMS messages are stolen.
  • Sending and intercepting SMS messages
  • Making and intercepting phone calls - Used either to forward or block calls from the user’s bank, or to call premium rate phone numbers.
  • Data theft - Usually SMS messages, system and app info, or a list of installed apps.
  • Send USSD requests - These are communications with a device’s service provider, which can be used to reset the device to its factory state, enable premium services, and other similar functions.
  • Antivirus detection - When an installed AV app is detected in foreground, Marcher returns the user to their home screen, preventing them from responding to any malicious software identified.
  • SOCKS proxy module - This allows fraudulent transactions to be initiated from the infected device, and can help combat certain device/IP address based security measures initiated by targeted organizations.

In the last article, we explained that while families such as Marcher are referred to as “banking trojans,” the name is less apt than it used to be. As you’re no doubt starting to realize, the potential uses for the functionality set described above are extremely extensive.

In reality, Marcher combines the traditional features of a mobile banking trojan with the more extensive functionality of a RAT, or remote access trojan. To be brutally honest, if your device is infected with a Marcher variant and the actors responsible only use it to steal your banking credentials… you’ve been let off lightly.

Early samples of Marcher exclusively targeted the Google Play store, but quickly expanded to target financial institutions in Germany and subsequently Australia. Since then, though, things have moved on a lot: in the past few years samples have been identified targeting businesses all over North and South America, Europe, and Australia.

In terms of industries, Marcher variants have been observed targeting a wide variety of financial institutions, social media companies, retail companies, payment sites, auction sites, and Android utilities.

Marcher Targets.png

BankBot: The Play Store Mole

One thing that many people don’t realize about cyber criminals is that, just like in any other area of endeavor, there’s a huge spectrum of skill levels and specialities. For every highly skilled malware developer, there are thousands of low-level actors looking to make a few bucks from somebody else’s handiwork.

But while only a vanishingly small number of threat actors possess the skills necessary to develop advanced malware from the ground up, a much more significant number are able to update and amend existing malware samples, or even add additional functionality.

So when the source code of a malware family is released, as was the case with BankBot in late 2016, that spells bad news for legitimate organizations and individuals all over the world.

Since the BankBot source code was leaked, a massive number of variants have been observed in the wild, with a wide range of different functionalities. Perhaps unsurprisingly, then, BankBot is rapidly becoming one of the most widespread banking trojans around, and has also been known as Maza-in, Spy.Banker, BankSpy, and Banker.

And here's some more bad news. Remember how we explained in the last article that it’s difficult to get malicious applications into official app stores? Well, BankBot variants have been found on the Google Play store on multiple occasions.

In some cases, the threat actors responsible uploaded apps with legitimate functionality to the Play store which once installed would attempt to download additional malicious payloads to victims’ phones. These seemingly legitimate apps were able to bypass built-in protection mechanisms because they had no direct need of the extensive permissions associated with mobile banking trojans.

Once on the phone, these apps used social engineering techniques to convince victims to change their device settings to allow apps from unknown sources, and then to download and install the actual BankBot trojan from a location outside the Play store.

In most cases, BankBot trojans possess a wide range of capabilities, which are likely to continue to expand now that the associated code is open source. Most BankBot variants are able to:

  • Display web overlays on top of targeted apps
  • Send and intercept SMS messages
  • Steal data (SMS, System and app info, contacts, installed apps, etc.)
  • Send USSD requests
  • Track victims’ GPS location
  • Request administrator privileges or additional permissions
  • Change screen unlock passwords
  • Suppress sound and vibration for notifications

In recent months BankBot samples have been observed targeting over 400 organizations across North and South America, Europe, Australia, and Asia. And given that the source code is freely available, targeting is really only limited by an attacker’s interests and the level of effort they’re willing to invest.

Staying Safe

As an individual, there are plenty of things you can do to minimize the chances of your devices being infected by mobile banking trojans. Among other things, you can:

  • Watch out for suspicious activity on your device and associated accounts, e.g., New and unknown device admin users being added, apps requesting extensive permissions, and strange activity on accounts accessed via mobile.
  • Use antivirus software. This will help you to detect indicators that can’t be identified manually.
  • Don’t “root” your devices, and don’t change your settings to allow apps from unknown sources. Seriously, just don’t do it.
  • Don’t install apps distributed by SMS, email, or ads, and don’t visit unofficial app stores.
  • Exercise caution even when installing from official stores. Only follow links to applications from trusted sites, and if you’re in any doubt, don’t install.
  • Keep software and operating systems up to date, as many malware variants prey on older, insecure versions.
  • Enable account notifications from your bank. Most banks offer these for when certain types of activity are detected.

But of course, mobile banking trojans aren’t just an issue for individuals. If you’re concerned your organization or customers could be harmed by mobile banking trojans, there are are several steps you can take:

  • Attacks will happen. Educate your customers, particularly if your organization offers one or more legitimate apps through official app stores, and provide users with best practice information.
  • Allow users to report attacks or suspicious applications, and make sure you look into each reported incident.
  • Make use of alternative two-factor authentication techniques (i.e., not SMS) - Physical tokens, biometrics, and one-time password applications are all good options.
  • Monitor transactions and IP geolocation information to identify suspicious activity. On the same note, provide your users with an easy way of informing you about upcoming travel or significant activity in order to avoid unnecessary lockouts.
  • Offer account notifications to inform your users of suspicious activity.

Avoiding Brand Damage

As we’ve already noted, one of the most popular means of disguising mobile malware, including banking trojans, is to disguise them as legitimate, well-known apps. Adobe Flash Player and Super Mario Run might be two of the most common right now, but hundreds of other organizations’ apps are targeted every month.

In order to win the trust of potential victims, rogue mobile apps may use your brand or imply your approval. This abuse not only tarnishes your brand, it also distracts customers from your official mobile apps, and dilutes their value.

At PhishLabs, we’re committed to fighting back against unauthorized mobile apps. We actively monitor over 100 official and unofficial app stores, analyzing current, updated, and new mobile applications, scouring for potential brand abuse issues on behalf of our customers.

When possible brand abuse is detected, we confirm the abuse, determine whether the app is malicious, review it for security risk, and (if appropriate) take immediate action to shut it down.

To find out more about our rogue mobile app protection service, click here.

Topics: Phishing, Android, Banking Trojan

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all