- The malware first appeared in 2015 and has since been upgraded, outperforming other banking malware such as Svpeng and Faketoken.
- Although Asacub primarily targeted Russian users, the malware also hit users from Ukraine, Turkey, Germany, Belarus, US and other nations.
The Asacub banking malware, which first appeared in 2015, has infected over 250,000 users in Russia. Over the years, the cybercriminals operating the malware have upgraded it, even distributing it as part of a large-scale campaign in 2017.
Asacab’s increasing infections helped it rise rapidly last year, even outperforming other banking malware variants such as Svpeng andFaketoken. Although Asacub primarily targeted Russian users, the malware also hit users from Ukraine, Turkey, Germany, Belarus, Poland, Armenia, Kazakhstan, US and other nations.
“We encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015, when the first versions of the malware were detected, analyzed, and found to be more adept at spying than stealing funds,” Kaspersky Lab researchers, who took a deep dive into the malware, wrote in a blog.
Asacub is distributed via phishing SMS messages that contain a link and an offer to view an MMS or a photo. The link redirects users to an APK file of the Trojan. The malware masquerades as an MMS app.
Depending on the version of Asacub, the malware prompts users to either enable device administrator rights or requests permission to use accessibility service. Once the malware obtains the permission, it sets itself as the default SMS app and vanishes from the infected device’s screen.
“Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone,” Kaspersky researchers said. “Moreover, the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card. Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS and send them to the required number.”