2022 started with several new Android banking Trojans appearing on the threat landscape. At the same time, the existing ones are constantly updating their capabilities following each other’s pace and introducing game-changing features. Our threat intelligence shows that malware families with ability to perform On-Device Fraud (ODF) are seen more and more often, making it a worrying trend. To give a more tangible sense of the danger that these malware families pose, in this blog we showcase a demo of a Automated Transfer System (ATS) attack, which can be used to perform ODF.

In addition to this, ThreatFabric analysts continue to discover more droppers on Google Play having thousands of installations and distributing banking Trojans since the beginning of 2022.

 this.fieldNames = new String[] {
     "email",
     "month",
     "number",
     "password",
     "search",
     "tel",
     "text",
     "time",
     "url",
     "week"
 };
 ...
 private String prepareOverlay(String target, String overlayData, String overlayType) {
     if (overlayType.equals("url")) {
         return overlayData;
     }

     String[] fieldNames = this.fieldNames;
     int index;
     for (index = 0; index < fieldNames.length; ++index) {
         overlayData = overlayData.replace(
             "type=\"" + fieldNames[index] + "\" ",
             "type=\"" + fieldNames[index] + "\" onblur=\"Android.on_blur_send(this.name,this.value)\" ");
     }
     ...
 }

The concept is not new as other malware families use the same approach to perform actions on victims’ behalf which result in On-Device Fraud (ODF). The same goes for Ermac – while we have not seen it performing ODF, such semi-automated attacks are a worrying trend on the current threat landscape, and we expect more malware families absorbing this approach.

Google Play distribution

Threat actors continue to consider droppers on Google Play as one of the most effective ways to deliver malware to victims: being installed from the official store, an app is less likely to be doubted when asking for some suspicious actions.

One of the latest droppers discovered by ThreatFabric is posing as cleaner app and has 5k+ installations. It operates similarly to other known droppers, downloading the payload from GitHub and installing it. During this campaign ThreatFabric analysts observed this dropper distributing Hydra, a mobile banking Trojan that is also on the rise in terms of number of samples seen in-the-wild. Hydra is a well-known Trojan armed with RAT capabilities; thus it is also able to perform On-Device Fraud (ODF). The following screenshots show the process of payload installation:

Just like most of mobile banking Trojans, Hydra first requests enabling AccessibilityService in order to present overlays and perform actions on the infected device.

Android 13 Restrictions

Google decided to finally address the issues generated by the Abuse of Accessibility Services.

The beta version of Android 13 presents a new approach to enabling AccessibilityService of applications installed from third-party sources. This new version features a new option called “restricted settings”, which include AccessibilityService.

In the case of a dropper installing a payload, user will not be able to easily enable AccessibilityService for it, as it will greyed out and unavailable by default. To enable it, user will have to perform more explicit actions and confirm it with device password.

However, our research shows that such mitigation is not enough and these restrictions can be fairly easily overcome. The following screenshot shows two proof-of-concept applications, one behaving like the droppers we usually encounter on Google Play Store, while the second uses a different technique with a slight change in installation process. Doing so, ThreatFabric researchers managed to avoid the restricted settings in the second PoC application.

Although introduced changes can protect users from certain malware on new version of Android, we believe that most of the actors will quickly adapt to the restrictions with a slight change in their MO until a stricter approach will be introduced. However, Android operating system is known for its openness and availability, so it is definitely a question of balance for developers. That is why it is necessary for financial organizations to pay more attention to the current landscape and oversee the changes of it.

On-Device Fraud

As it is clearly demonstrated by the section above, 2022 has been an extremely active year for Android Banking malware. This trend has been consistent and a continuation of what we have seen in 2021. As previously discussed, we have observed not only the appearance of new families in the Android threat landscape, but also the continuous improvement of existing ones.

From ATO to ODF

We are witnessing an Android banking malware spring season, where the full focus and attention by criminals is changing and switching very rapidly from the Account TakeOver (ATO) modus operandi, to something more complicated, but also more lucrative: in fact, more and more malware families are now implementing some sort of On-Device Fraud (ODF) capability.

Every banking family that we observe currently presents ATO capabilities.
If ATO malware, which relies on credential theft to be used on a separate channel, was predominant a few years back, nowadays ODF seems to be the new requirement for new Android banking malware. Based on our Threat Intelligence, ThreatFabric has observed a 40% increase or ODF malware in Q1 of 2022.

Most families that are currently active implement some degree of ODF, ranging from the ability of modifying UI fields like username and password text boxes, to the capability of logging in a banking application and transfering funds automatically by downloading and executing fully programmable scripts (ATS - Automated Transfer System).

In the case of malware families like Gustuff and Sharkbot, which implement full ATS, criminals are able to define a specific set of actions, based on Android version, device manufacturer, and banking application, to be executed to achieve their goals. These action include, but are not limited to, enabling installation from unknown sources, granting themselves permissions, using stolen credentials to login in the banking application, checking balances and performing transactions.

All the above actions happen on the victim’s device, and unless some behavioural analysis is performed, a transaction completed with this attack MO will look no different from a legitimate one from the point of view of a fraud scoring engine.

ATS Demo

To give a better understanding of what ODF looks like, we developed a Proof of Concept (PoC) ATS malware, designed to attack a fictitious banking application. In the following video you will see how malware can interact with the UI and successfully login using previously stolen credentials and perform a transaction. The steps are slowed down to allow the viewer to understand what is happening. However, in a real case scenario, the whole process would happen in a few instants, leaving no time to react to the victim.

With capabilities like ATS and other Accessibility Service powered features, it is clear that even if a malware variant is not targeting a bank with overlays, it can still perform a large variety of attacks. For this reason it is vital to have preventive and pro-active detection solutions in order to prevent this attacks before they are initiated.

How to deal with possible infections and fraud

What to do in the unfortunate event of a fraud attempt?

If an financial institution or a customer suspects being victim of some sort of fraud, a contact with the technical assistance team is the first step in understanding what happened and helping the potential victim.

What follows is a list of questions to ask potential victims, whose answers could help in assessing the likelyhood of actual fraud, combined with suspicious transfers observed from the banking institution side and other fraud indicators:

• Do you remember if you have recently installed any new application? Was that application installed from Google Play store or from a third-party source?

The first step in any infection chain is the installation of a new application, may that application be a dropper or the malware itself. In addition, applications installed from sources other than Google Play Store, like third-party markets or websites, are more likely to be dangerous. As previously discussed, installing from Google Play Store is not fully safe either, but it is still preferable to the alternative.

• Have you given some unusual permission or enabled something (like for example Accessibility Services)?

Most modern Android malware is able to grant itself all the permissions required to execute its nefarious code. However, in order to do so, the user will have to manually grant one single privilege to the malware. That is the Accessibility Services privilige. Without this, the malware is not able to interact with the UI and simulate button clicks and text inputs.

• Was your device acting strangely? Examples of this might be: flashing screens, blinking windows, login asked for the first time in a while.

When malware executes, it will grant itself a series of permissions needed to interact with the system, like the permission to manage SMS, Notifications, Camera, and so on. To do so, it will generate a pop up on the screen and then automatically click it thanks to Accessibility Services. To the user, this behaviour will look like a series of screens popping up and disappearing instantly.

• Were you contacted by your bank?

Criminals also often impersonate technical assistance personnel of the bank to convince users to install malware on their device. In these cases, the operator will ask to install some application that could be either malware or Remote Access Software that will grant criminals full access to the device.

In case of confirmed infection, what should a customer do?

Unfortunately, there is no silver bullet in case of infection. Different malware operates differently, and for the average user, uninstalling the malware can be very hard if not impossible. In this cases, the only process that we can recommend is a full factory reset of the device together with a change of all credentials, both for banking applications as well as social media apps and cryptowallets.

How to mitigate risks?

With the growing number of active malware families that can perform On-Device Fraud, it has become a challenge for fraud prevention/detection departments to prevent and investigate fraud coming from the same device that customer uses every day. To understand the real impact and prevent losses a proper solution should be in place to gain visibility on the malware infecting customers’ devices. Moreover, solution should provide visibility not only on the known malware or already seen samples of it (so-called hash-based detection) but to detect unknown malware relying on its malicious behaviour. Such approach allows to have full picture of possible risks that can be properly mitigated.

Proper on-device detection of malware also helps to gain visibility on distribution channels and proactively notify customers about new distribution campaigns to raise their awareness. Powered with continuous authentication based on behavioural biometrics, such solution becomes a great source of TI-based risk-score for every account and makes fraud detection and prevention easier for financial organisations.