We have discovered a new Android threat that uses flexible social-engineering techniques to steal banking credentials from a wide range of users. Rather than disguising itself as a specific app, Android.Fakelogin identifies the banking app that’s running on the device and overlays a customized, fraudulent login page over the user interface. It does this by accessing cloud-based logic hosted on a remote command-and-control (C&C) server to determine the exact phishing page to display. Although the malware targets legitimate apps available on Google Play, the apps that download Fakelogin are not available on Google Play.
The malware also uses stealth technologies and obfuscation techniques to make itself difficult to find and reverse-engineer. All of these features make Android.Fakelogin a formidable threat to mobile devices.
How does Android.Fakelogin work?
Android.Fakelogin is currently targeting Russian speakers but doesn’t affect the latest update to Android, known as Marshmallow. The Trojan arrives as the payload from downloader malware that affects Android devices. This malware comes in the form of fake apps (in this case, games) that attempt to download and install other malware on the compromised device. Once installed, the malware poses as a replacement for the default SMS app and tries to register itself as the device administrator. The threat also hides its icon to prevent users from easily locating or deleting it.
Figure 1. Android.Fakelogin tries to gain permission of a device administrator (left) and replace the default SMS app (right)
If the Trojan gains these permissions, then it can carry out its data-stealing activities, as shown in the following image:
Figure 2. Android.Fakelogin steals login credentials from compromised devices by leveraging cloud-based logic from its C&C server.
The Trojan first downloads a list of application package names from its C&C server and saves it in a preference file. This tells the threat which legitimate banking apps to target with content injections.
Figure 3. Android.Fakelogin stores the list of targeted banking apps in a preference file saved to the device.
The malware then queries the name of the app currently running on the device. If this app is on the list, then the threat sends the app’s package name to the C&C server. The server responds with a phishing page that mimics the appearance of the targeted app. The flexibility afforded by this cloud-based approach means that the malware does not need to be updated each time the targeted banks change the look or format of their mobile banking apps.
Next, the malware uses WebView to display this customized phishing page on top of the running app’s interface. If the user tries to log in through the fraudulent page, then their login credentials will be sent directly to the attackers’ C&C server.
Figure 4. An example of a phishing page that Android.Fakelogin may display over the legitimate running app
Android.Fakelogin’s phishing tactics aren’t its only advanced feature. The malware doesn’t require the user to launch it once it infects the device, making the Trojan hard to spot. The threat is also difficult to reverse engineer, thanks to its obfuscation techniques and the way it obtains targeted apps from a remote location.
Room to evolve: Could 2FA codes be targeted next?
This phishing method makes Android.Fakelogin a flexible and extensible threat. It allows attackers to continuously add more fraudulent banking pages to their C&C server, which is much easier than infecting devices with new malware variants that pose as particular banking apps. And while the threat currently focuses on banking apps, it could download new package lists to target other online services, social networks, and more.
Additionally, the malware could be used to bypass two-factor authentication (2FA). The attackers could first obtain banking login credentials through their typical fraudulent pages. They could then send another phishing page requesting the 2FA code that was sent to the users’ mobile device or email address, letting them gain access to the protected account.
Mitigation
App developers should protect their users from these kinds of threats by adding separate authorization steps after the user logs in. For example, before the user approves of a transaction in a banking app or modifies sensitive account information in a social networking app, they should be prompted to authenticate themselves again.
We recommend the following measures to allow users to protect their devices against this threat:
- Install Android 6.0 Marshmallow once it’s made available to the device, as it blocks Android.Fakelogin’s functionalities.
- Use a comprehensive security solution such as Symantec Mobility or Norton Mobile Security to protect against mobile threats
- Keep software up to date
- Only install apps from trusted sources
- Pay close attention to the permissions requested by an app
Protection
Symantec and Norton products detect this threat as Android.Fakelogin.