Malware descriptions

Fake WeChat – New Trojan-Banker

Nowadays, Internet financial services are growing rapidly. More and more online financial services are accessible from mobile devices. This helps customers and boosts economic development. Mobile apps are exploring this new frontier, including password-protected payment services among other popular features such as messaging. For criminals, this offers a new opportunity to steal sensitive information and get hold of other people’s cash.

WeChat is a famous mobile instant messenger in China. It’s most often used by people chatting with their friends and colleagues, and it also allows users to make payments. It’s very easy to use, but it means you have to tie your bank details to your messenger account. WeChat’s huge market share also makes it a tempting target for criminals, who are developing Trojan-bankers to mimic it.

Recently Kaspersky Lab intercepted a new Trojan-Banker like this. It was detected as Trojan-Banker.AndroidOS.Basti.a. This android app is disguised as a normal WeChat app on the phone.

vigi_android_01

It requests some sensitive privileges, such as android.permission.RECEIVE_SMS.

vigi_android_02s

The author of the Trojan wanted to prevent analysts from reverse engineering the code, so it is encrypted with ‘bangcle secapk’. We couldn’t get any useful information out of this encrypted sample.

vigi_android_03

After decoding the sample, we saw its true colors. It is capable of many types of malicious behavior. There are also some packages to make its GUI look more professional, which in turn makes it a more potent phishing tool.

vigi_android_04

When executed it opens a special GUI to let users input their bank related information, including bank card number, PIN code and mobile phone number.

vigi_android_05s

vigi_android_06s

After gathering all this information, it sends them to the Trojan author’s email.

vigi_android_07s

This Trojan-Banker also registered a BootReceiver. It will monitor newly received text messages and uninstall broadcasts from the infected mobile. These are also sent to the Trojan author’s email.

vigi_android_08s

vigi_android_09s

The author’s email address is plaintext in the code. So we can go further.

vigi_android_10

When we saw the mailbox, we found lots of victims.

vigi_android_11s

Although it is blocked by 126 email servers, information belonging to many victims has already been stolen and stored in the archive.

vigi_android_11s

As online financial services get more and more popular we need to take even more care of our privacy. Mobile users are already under threat, and we have to take steps to protect ourselves. We advise you to:

  • Install mobile security software.
  • Be sure to update the software’s databases to the latest version.
  • DO NOT visit any suspicious websites or download unfamiliar apps.
  • Before you enter any sensitive information, make sure you know who is asking for it, and why.

 

Fake WeChat – New Trojan-Banker

Your email address will not be published. Required fields are marked *

 

Reports

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox