Android Trojan that intercepts voice calls to banks just got more stealthy

0
5

A lot of the brand new obfuscation is the results of hiding malicious code in a dynamically decrypted and loaded .dex file of the apps. Consequently, Zimperium initially believed the malicious apps they have been analyzing have been a part of a beforehand unknown malware household. Then the researchers dumped the .dex file from an contaminated gadget’s reminiscence and carried out static evaluation on it.

“As we delved deeper, a sample emerged,” Ortega wrote. “The providers, receivers, and actions intently resembled these from an older malware variant with the bundle title com.safe.assistant.” That bundle allowed the researchers to hyperlink it to the FakeCall Trojan.

Lots of the new options don’t seem like totally carried out but. In addition to the obfuscation, different new capabilities embody:

Bluetooth Receiver

This receiver features primarily as a listener, monitoring Bluetooth standing and modifications. Notably, there is no such thing as a fast proof of malicious habits within the supply code, elevating questions on whether or not it serves as a placeholder for future performance.

Display Receiver

Much like the Bluetooth receiver, this part solely screens the display’s state (on/off) with out revealing any malicious exercise within the supply code.

Accessibility Service

The malware incorporates a brand new service inherited from the Android Accessibility Service, granting it vital management over the person interface and the power to seize data displayed on the display. The decompiled code reveals strategies similar to onAccessibilityEvent() and onCreate() carried out in native code, obscuring their particular malicious intent.

Whereas the supplied code snippet focuses on the service’s lifecycle strategies carried out in native code, earlier variations of the malware give us clues about potential performance:

  • Monitoring Dialer Exercise: The service seems to watch occasions from the com.skt.prod.dialer bundle (the inventory dialer app), doubtlessly permitting it to detect when the person is making an attempt to make calls utilizing apps apart from the malware itself.
  • Computerized Permission Granting: The service appears able to detecting permission prompts from the com.google.android.permissioncontroller (system permission supervisor) and com.android.systemui (system UI). Upon detecting particular occasions (e.g., TYPE_WINDOW_STATE_CHANGED), it might probably robotically grant permissions for the malware, bypassing person consent.
  • Distant Management: The malware allows distant attackers to take full management of the sufferer’s gadget UI, permitting them to simulate person interactions, similar to clicks, gestures, and navigation throughout apps. This functionality allows the attacker to govern the gadget with precision.

Telephone Listener Service

This service acts as a conduit between the malware and its Command and Management (C2) server, permitting the attacker to challenge instructions and execute actions on the contaminated gadget. Like its predecessor, the brand new variant supplies attackers with a complete set of capabilities (see the desk under). Some functionalities have been moved to native code, whereas others are new additions, additional enhancing the malware’s means to compromise gadgets.

The Kaspersky submit from 2022 mentioned that the one language supported by FakeCall was Korean and that the Trojan appeared to focus on a number of particular banks in South Korea. Final yr, researchers from safety agency ThreatFabric said the Trojan had begun supporting English, Japanese, and Chinese language, though there have been no indications individuals talking these languages have been truly focused.



Source link