CyberWisdom Safe Harbor Commentary:
The identified sample is mainly abuse of legitimate SMS and MMS-based management applications.
This malware is devoted to getting financial information from SMS applications and collecting information from mobile banking systems.
A few countries in Russia, China, Ukraine, Romania, Germany and other Russian-speaking countries have discovered this important malware.
The malware stole information such as phone numbers, lists of installed bank applications, balances on bank cards, and even location information and later uploaded the collected information to the C & C server.
Once this malware is installed on the victim’s machine, the icon for this malware application must appear on the application screen and require some sensitive permissions, such as device management.
Later, it asks the user to change the default SMS application, silently disappears from the screen once the replacement is complete, and malicious behavior begins
Two Layers of Obfuscation
It also uses 2 layers to provide more obfuscation techniques to evade detection. The first layer is used to provide shell protection to the APK to avoid shellcode detection. The second layer obfuscates the strategy, making the code more difficult to understand and encrypts all strings, system calls, functions, and class names. It uses (DES / BASE64) standard encryption technology.
Malware has already registered a large number of C & C domain names, many of which are recent and some still exist.
A New persistent malware family called FakeBank spreading across Russian speaking nations and targetting Russian banks with sophisticated Obfuscation technique to steal highly sensitive information. Identified samples are mainly abusing Legitimate SMS and MMS based management applications. This malware specifically targeting to gain the financial information from the SMS applications and periodically gathering pieces of Engaging post, Read More…
thumbnail courtesy of gbhackers.com