Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe

Since the discovery of the Android banking Trojan SpyLocker, McAfee has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and Turkey. Recently we have found that the distribution method for this malware has changed. In addition to employing malicious websites that pretend to deliver a new version of Flash Player, cybercriminals are now are using hacked sites (including WordPress and Joomla) to distribute the malware posing as a “porn player”:

SpyLocker_InfectedWebsite_PornDroid
As soon as the user accesses the website, the following file is downloaded:

SpyLocker_PornVideoDownloaded
The “PornDroid” theme of the injected site and the filename “pornvideo.apk” looked familiar to us; that distribution method is very similar to the one used by the Android ransomware Police Locker at the end of 2014. Could this mean that Police Locker and SpyLocker are related? We decided to take a look at old samples from both malware families and, after some research, we found what seems to be the missing link between the two.

The purpose of the samples is different (ransomware vs. banking Trojan) but there are some similarities that suggest the creators of the ransomware at some point shifted its focus to target banking users. For example, in both samples we can find the same intent-filter and the same class names for two receivers:
SpyLocker_GC_ServiceIn addition to these receivers, there are more classes in common between the two samples, including Autorun, AdminService, and DeviceAdminChecker:

Spylocker_CommonClassesIn addition to the hacked websites distribution method, SpyLocker uses adult sites to lure users and trigger the automatic download of the malware:
Spylocker_Avitoi
Even when the filename of the downloaded file is pornvideo.apk, when the app is installed it appears to be Flash Player (as with the original variants):
Spylocker_FlashPlayerIcon
Or, recently, an “update”:

UpdateIcon

As soon as the app is executed, the icon disappears from the home launcher and the malware constantly asks for device administrator privileges to make its removal difficult:

Spylocker_DevAdmin

If the user tries to deactivate the device administrator for the app, the malware locks the device, with the following screen preventing the user from clicking the deactivate button behind the cover:

SpyLocker_AdminLock

SpyLocker originally targeted banks in Australia, New Zealand, and Turkey; now it monitors the opening of banking and financial apps in additional European countries to display the phishing overlay and capture banking credentials. The following is an example of the overlay targeting banks in Poland:

SpyLocker_PolishBanks
Users in France are also targeted by recent variants of SpyLocker:

SpyLocker_FrenchBanks

A different and more complete phishing overlay was found in variants targeting banks in the United Kingdom:

SpyLocker_UK_Scotland

Instead of showing the phishing overlays from a remote server, recent SpyLocker variants have them implemented in the app itself, perhaps to avoid locking the victim’s device if the remote server is not available. Because of this we found that there are plans to target banks in Italy, although the overlay interface is not implemented in the variants that we have seen so far. On the other hand, the overlay interface for Russian banks is already implemented but currently not being used because the package names are not in the list of targeted banks. But they could be included in a new variant at any time.

SpyLocker also monitors the execution of Google and popular apps such as Instagram and eBay to display the Google phishing overlay, which now attempts to get more than just the email and password of the Google account:

SpyLocker_GooglePhishing_ValitationOfFields
The fields in the overlay user interface are now validated. If the victim does not provide the information or if it is incorrect (with credit cards an algorithm confirms that the number is valid), the overlay cannot be skipped—thus hijacking the device until the victim enters the correct information. In the case of the credit card field, SpyLocker validates the type of card and, following that, will display an additional field to capture the second factor of authentication needed for electronic transactions:

SpyLocker_2FA_phishing
In addition to the phishing functionality, SpyLocker constantly sends encrypted data to a remote server:

SpyLocker_first_communication
The decrypted data is in the JavaScript Object Notation format, and reports the current status of the infected device:

SpyLocker_Report
The data includes device information, the default SMS app, if the malware has device administrator active, if it is currently locked, if any of the targeted banking apps are installed in the device, if intercepting incoming SMS messages is enabled (smsgrab), and if the device is rooted. Using the same format, SpyLocker can leak to a remote server the SMS messages in the inbox (inboxmessage), SMS being sent (sentmessage), the call history (callhistory), and installed apps (instapps):

SpyLocker_InstAppsDecryptedAndroid banking Trojans such as SpyLocker are constantly evolving, adding new targets and distribution methods, and improving their phishing techniques to obtain even more data that will allow cybercriminals to perform fraudulent electronic transactions. To protect yourselves from this threat, employ security software on your mobile, and remember that Android updates are not delivered via APK files automatically downloaded when you visit a website. Further, users should not trust applications downloaded from unknown sources.

McAfee Mobile Security detects this Android threat as Android/SpyLocker and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

 

Package names of targeted financial apps

Turkey

  • com.akbank.softotp
  • com.akbank.android.apps.akbank_direkt_tablet
  • com.akbank.android.apps.akbank_direkt
  • com.teb
  • com.ziraat.ziraatmobil
  • com.tmobtech.halkbank
  • com.pozitron.iscep
  • com.garanti.cepsubesi
  • com.ykb.android
  • finansbank.enpara
  • com.finansbank.mobile.cepsube

Poland

  • eu.eleader.mobilebanking.pekao
  • eu.eleader.mobilebanking.pekao.firm
  • hr.asseco.android.mtoken.pekao
  • eu.eleader.mobilebanking.raiffeisen
  • pl.pkobp.iko
  • pl.mbank
  • pl.ing.ingmobile
  • com.comarch.mobile
  • com.getingroup.mobilebanking
  • pl.bzwbk.bzwbk24
  • wit.android.bcpBankingApp.millenniumPL

Australia

  • au.com.nab.mobile
  • com.commbank.netbank
  • com.cba.android.netbank
  • org.stgeorge.bank
  • org.banking.tablet.stgeorge
  • au.com.bankwest.mobile
  • com.bendigobank.mobile
  • org.westpac.bank
  • au.com.mebank.banking
  • com.anz.android.gomoney

New Zealand

  • nz.co.anz.android.mobilebanking
  • nz.co.asb.asbmobile
  • nz.co.bnz.droidbanking
  • nz.co.kiwibank.mobile
  • nz.co.westpac

France

  • net.bnpparibas.mescomptes
  • fr.lcl.android.customerarea
  • fr.laposte.lapostemobile
  • fr.creditagricole.androidapp
  • fr.banquepopulaire.cyberplus
  • com.cm_prod.bad
  • com.caisseepargne.android.mobilebanking

Russia

  • ru.sberbankmobile
  • ru.vtb24.mobilebanking.android
  • ru.alfabank.mobile.android
  • com.idamob.tinkoff.android
  • ru.bpc.mobilebank.android
  • ru.bankuralsib.mb.android

United Kingdom

  • com.barclays.android.barclaysmobilebanking
  • uk.co.santander.santanderUK
  • com.rbs.mobile.android.natwest

Targeted apps

  • com.android.vending
  • com.google.android.music
  • com.google.android.apps.plus
  • com.android.chrome
  • com.google.android.apps.maps
  • com.google.android.youtube
  • com.google.android.apps.photos
  • com.google.android.apps.books
  • com.google.android.apps.docs
  • com.google.android.apps.docs.editors.docs
  • com.google.android.videos
  • com.google.android.gm
  • com.whatsapp
  • com.skype.raider
  • com.google.android.play.games
  • com.paypal.android.p2pmobile
  • com.ebay.mobile
  • com.instagram.android
  • com.instagram.layout

Leave a Comment

12 − three =