- Almost 2,000 mobile banking users in Brazil accidentally downloaded an Android malware that hijacked their devices and stole their sensitive data.
- The Android malware ‘Android.BankBot.495.origin’ can gain access to victims' account balances along with other private banking data and transfer it to the cybercriminals who operate it.
A recently discovered Android trojan - ‘Android.BankBot.495.origin’ - was inadvertently downloaded by almost 2,000 Brazilians. The malware hijacked victims’ devices and stole their sensitive data. According to researchers, the malware was distributed by cybercriminals in the Google Play Store. The malware was disguised as legitimate apps that were advertised as WhatsApp monitoring apps for Android devices.
Upon installation, the malware attempts to gain access to the Android Accessibility features by opening the system and requesting the user to grant permissions. Once the user grants permissions, the malware can operate programs in the background, automate taps, and steal contents of active application windows.
Moreover, the malware uses special features such as tracking antiviruses and utilities, to remain undetected.
Dr. Web analysts analyzed the malware’s behavior in some of Brazil's largest banks. Bradesco, the country's second-largest private bank, revealed that Android.BankBot.495.origin read victims’ account information and automatically attempted logging in by entering the PIN code received from its C2 server.
The malware then gained access to victims' account balances along with other private banking data and transfer it to the cybercriminals. Upon receiving a command to launch an SMS application, the malware is designed to open it, read and save the text, and send it to theC2 server. It can also recognize the messages from CaixaBank S.A. and transmit them in a separate request.
‘The transactional environment of the bank is safe and those operations can only be carried out through a mobile token,” Bradesco told ZDNet.
Researchers also revealed that the Android malware can be used by cybercriminals to perform phishing attacks in other applications, including Uber, Netflix, and Twitter.