[MART] - Daily Diary #437 - New Brazilian Android Banking Malware Wiping Devices
CTAS-MAT
ctas-mat at appgate.com
Mon Jan 24 20:17:05 UTC 2022
Hello,
I hope everyone is doing well!
Below is the entry for today.
24/01/2021 - Diary entry #437
In our Daily Diaries #242, #260 and #265, we covered some android banking trojan, and some of their features, engineered to steal banking/e-commerce credentials while staying hidden in the user's device.
This week a new campaign for a Brazilian Malware was disclosed. The malware is deployed in different stages to avoid detection. The first stage, the downloader, is a very lightweight APK that can be distributed in phishing campaigns. Some similar downloaders have been distributed through the google play store. After being installed, the malware asks for the accessibility permission, which it can use to monitor other applications and take control of the device (as a Remote Access Trojan).
Its capabilities are very similar to the other Brazilian android banking trojan, but this new sample contains a very dangerous kill switch. Besides being able to self delete, this malware uses the device administration permission to factory reset the device upon receiving the command. This can be used by attackers after the theft is completed, to erase footprints, or when it suspects its being executed in a virtual environment for analysis purposes. The malware also receives a list of security tools installed on the device, like AV software, and attempts to remove them before activating the data exfiltration capabilities.
Some media sources covered this campaign as being part of the malware known as BRATA (covered in our Daily Diary #242). Our analysis of the sample code shows that this malware doesn't share the code and the modus operandi of the samples previously disclosed as BRATA. However, they both have a similar purpose and they both target Brazilian banking institutions.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Duarte Domingues
Security Researcher
Appgate
E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220124/54938cfb/attachment.htm>
More information about the MART
mailing list