Notorious Android trojan has managed to make a comeback on the Google Play Store. Hiding as a gaming application, BankBot gaming trojan carrying app raked in thousands of downloads before it was removed by the search giant.
Potentially stealing financial data from thousands of its victims, BankBot had made its first appearance on the official Play Store earlier this year. The trojan would display an overlay that looked exactly like the victim's banking app login page to steal credentials. After getting purged from the Store in April, security researchers discovered it again, earlier this September.
The banking trojan has been evolving throughout the year, resurfacing in different versions both on and outside Google Play. The variant we discovered on Google Play on September 4, is the first one to successfully combine the recent steps of BankBot’s evolution: improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service.
BankBot, credit card stealing Android malware is back! [how it works]
Security researchers at ESET revealed in their report today that this time the banking trojan was found hidden inside an Android game, Jewels Star Classic. Before it was removed, the Android game is believed to have been downloaded over 5,000 times.
When users downloaded the app (developed by GameDevTony), they got a fully functioning Android game that came loaded with some hidden extras, including the banking trojan payload lurking inside its resources along with a malicious service waiting to be triggered after a pre-set delay.
This pre-set delay was set to be 20 minutes. After a user plays the game for the first, it will wait until 20 minutes before running the program to install BankBot banking trojan. After this delay, even if the user has closed the app and has moved on to another application, it will present an alert titled "Google Service," which the user can't get rid of unless they click on the "OK" button.
They are then taken to the Android Accessibility menu, where it shows the malware-created "Google Service" among legitimate services. When the user clicks on it, it shows a description that looks exactly like Google's original Terms of Service. Here the user is asked to give several permissions, including:
- Observe your actions
- Retrieve window content
- Turn on Explore by Touch
- Turn on enhanced web accessibility
- Perform gestures
In the last screen of the above gallery, if the user clicks on OK, the malware essentially gets a free hand to carry out tasks to continue to its goal of stealing financial details. When compared to earlier versions, the latest BankBot was able to steal the victims' credit card details in a more believable way by pretending to be Google Play itself, and not a banking app.
"If the user falls for the fake form and enters their credit card details, the attackers have essentially won," the researchers warned. "The techniques combined make it very difficult for the victim to recognize the threat in time."