Bizarro, a new banking trojan, has been discovered that can harvest bank account logins from Android mobile users. The malware originated in Brazil and is targeting banking customers of 70 banks located in South America (mostly Brazil) and Europe (Spain, Portugal, France, and Italy).
What has happened?
According to an analysis by Kaspersky, Bizarro is a mobile malware that aims to steal online banking credentials. In addition, it hijacks Bitcoin wallets from Android users.
- It propagates via Microsoft Installer packages, which are believed to be downloaded directly by victims from malicious links sent in spam emails or installed via a trojanized app.
- After installation, it terminates all running browser processes to end any existing sessions with online banking websites. This forces a user to sign back in, allowing the malware to harvest information.
- Moreover, to increase the success chances, the trojan disables autocomplete feature in the web browser and even displays fake pop-ups to steal 2FA codes.
- It can capture the screen of a user and regularly monitor the system clipboard, looking for a Bitcoin wallet address. If it spots one, it is swapped with a wallet of malware developers.
Obfuscation techniques
The developers behind this operation used complex obfuscation to make it harder for security researchers to perform code analysis.
- To hinder analysis, the operators have constantly unfolded its malware and inserted junk code. Criminals were found regularly improving the protection of the binaries.
- In earlier Bizarro versions, only the entry point function was protected, while in more recent samples, a protector is being used to conceal calls of the imported API functions.
Other active banking trojans in Brazil
Several baking trojans have been found active in Brazil, targeting banking customers.
- The Ousaban trojan was discovered targeting regional email services. It uses overlay windows for stealing credentials from financial entities.
- The Janeleiro trojan was targeting corporate users in Brazil across multiple sectors such as engineering, retail, manufacturing, transportation, finance, government, and healthcare.
Conclusion
Bizarro is being used in an extensive operation that includes affiliates and recruitment of money mules for performing a variety of tasks. Additionally, the trojan is now spreading quickly in multiple regions. Thus, it is important for banking customers to stay vigilant and use anti-malware solutions to protect their smartphones.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ac71_shutterstock_1963275886.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/90f9_shutterstock_1807562068.jpg)
