Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and Turkey. Recently we have found that the distribution method for this malware has changed. In addition to employing malicious websites that pretend to deliver a new version of Flash Player, cybercriminals are now are using hacked sites (including WordPress and Joomla) to distribute the malware posing as a “porn player”:
As soon as the user accesses the website, the following file is downloaded:
The “PornDroid” theme of the injected site and the filename “pornvideo.apk” looked familiar to us; that distribution method is very similar to the one used by the Android ransomware Police Locker at the end of 2014. Could this mean that Police Locker and SpyLocker are related? We decided to take a look at old samples from both malware families and, after some research, we found what seems to be the missing link between the two.
The purpose of the samples is different (ransomware vs. banking Trojan) but there are some similarities that suggest the creators of the ransomware at some point shifted its focus to target banking users. For example, in both samples we can find the same intent-filter and the same class names for two receivers:
In addition to these receivers, there are more classes in common between the two samples, including Autorun, AdminService, and DeviceAdminChecker:
In addition to the hacked websites distribution method, SpyLocker uses adult sites to lure users and trigger the automatic download of the malware:
Even when the filename of the downloaded file is pornvideo.apk, when the app is installed it appears to be Flash Player (as with the original variants):
Or, recently, an “update”:
As soon as the app is executed, the icon disappears from the home launcher and the malware constantly asks for device administrator privileges to make its removal difficult:
If the user tries to deactivate the device administrator for the app, the malware locks the device, with the following screen preventing the user from clicking the deactivate button behind the cover:
SpyLocker originally targeted banks in Australia, New Zealand, and Turkey; now it monitors the opening of banking and financial apps in additional European countries to display the phishing overlay and capture banking credentials. The following is an example of the overlay targeting banks in Poland:
Users in France are also targeted by recent variants of SpyLocker:
A different and more complete phishing overlay was found in variants targeting banks in the United Kingdom:
Instead of showing the phishing overlays from a remote server, recent SpyLocker variants have them implemented in the app itself, perhaps to avoid locking the victim’s device if the remote server is not available. Because of this we found that there are plans to target banks in Italy, although the overlay interface is not implemented in the variants that we have seen so far. On the other hand, the overlay interface for Russian banks is already implemented but currently not being used because the package names are not in the list of targeted banks. But they could be included in a new variant at any time.
SpyLocker also monitors the execution of Google and popular apps such as Instagram and eBay to display the Google phishing overlay, which now attempts to get more than just the email and password of the Google account:
The fields in the overlay user interface are now validated. If the victim does not provide the information or if it is incorrect (with credit cards an algorithm confirms that the number is valid), the overlay cannot be skipped—thus hijacking the device until the victim enters the correct information. In the case of the credit card field, SpyLocker validates the type of card and, following that, will display an additional field to capture the second factor of authentication needed for electronic transactions:
In addition to the phishing functionality, SpyLocker constantly sends encrypted data to a remote server:
The data includes device information, the default SMS app, if the malware has device administrator active, if it is currently locked, if any of the targeted banking apps are installed in the device, if intercepting incoming SMS messages is enabled (smsgrab), and if the device is rooted. Using the same format, SpyLocker can leak to a remote server the SMS messages in the inbox (inboxmessage), SMS being sent (sentmessage), the call history (callhistory), and installed apps (instapps):
Android banking Trojans such as SpyLocker are constantly evolving, adding new targets and distribution methods, and improving their phishing techniques to obtain even more data that will allow cybercriminals to perform fraudulent electronic transactions. To protect yourselves from this threat, employ security software on your mobile, and remember that Android updates are not delivered via APK files automatically downloaded when you visit a website. Further, users should not trust applications downloaded from unknown sources.
McAfee Mobile Security detects this Android threat as Android/SpyLocker and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.
Package names of targeted financial apps