Android Banking Application Infected With Data Stealing Trojan

There are 42 cheap Android models currently infected with Triada banking Trojan stealing data and intercepting chats from targeted devices.

The IT security researchers at Russia-based anti-virus firm Dr. Web have identified 42 low-cost Android devices infected with a dangerous banking Trojan that was discovered by the firm in July 2017. The malware aims at stealing personal and financial data from targeted devices.

A Few Couples of months back we had covered Mobile banking Trojan that sneaks into Play Store targeting Banking Apps

Dubbed Android. Triada.231 by researchers, the malware carries the ability to download malicious plugins which steal banking credential from the user and intercept social media and messenger communication.

The Android Banking Trojan was found as a part of a fake Flash Player app present on third-party stores. This fake app asks users for administrative rights just after setup. Even if a user initially denies admin access, the app continues throwing pop-up windows until the user accepts. Once the app gets admin rights, it hides its icon and seeks financial apps.

A malware was detected on Android, that targets apps of 232 banks worldwide, including some in India. Reported by a Quick Heal blog, the malware, called Android. Banker. A2f8a, has the potential of stealing personal data, intercepting SMS which contains OTPs, stealing contacts, and has carried out nefarious activities with some banking apps.

This malware has been found searching for 232 apps, related to banking and cryptocurrency services, as per the Quick Heal blogpost. If it accesses any of these apps from a user’s smartphone, it generates a fake notification sent on behalf of the banking app. Once the notification is accessed, the malware creates a fake login screen, which allows the Trojan to steal confidential information like login ID and password for the banking app.

The extent of data collection by Android.banker.A2f8a isn’t limited to details on the banking app. Quick Heal states that the trojan is able to hijack SMSes, disclose location details and hijack contact lists, which it uploads to malicious servers. Consumers with banking apps on their Android devices must note that following Android 4.1, Adobe Flash Player has been discontinued.

 Furthermore, the malware can root devices, infect Zygote which is also known as the “app process,” that works as the parent of all Android application processes. This means targeted users are left with no other choice but to reinstall the operating system and lose their personal data in case there is no backup.

“Once the Trojans inject into this module, they penetrate other running applications. In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention they covertly download and launch software,”

Previously, Dr. Web found Triada malware in low-cost Android devices Leagoo M8, Leagoo M5 Plus, Nomu S20 and Nomu S10. However, now the researchers have identified 42 more Android manufacturers whose smartphones have been infected by the malware but at that time the devices came with pre-installed malware.

“The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the system library. They do not distribute the Trojan as a separate program. As a result, the malicious application penetrates the device firmware during manufacture. Users receive their devices already infected from the box.”

In this case, however, researchers analyzed the targeted vendors and tracked the culprit back to a software development firm in Shanghai, China and noted that the malware was penetrated into the firmware at the request of the Leagoo partner which happened to be the same Shanghai-based firm.

This company (Shanghai-based software development firm) provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.

A list shared by Dr. Web shows companies and their model numbers which are currently infected. Keep in mind that this is not a comprehensive list and researchers believe that the list of infected devices could be much bigger.

  • Leagoo M5
  • Leagoo M5 Plus
  • Leagoo M5 Edge
  • Leagoo M8
  • Leagoo M8 Pro
  • Leagoo Z5C
  • Leagoo T1 Plus
  • Leagoo Z3C
  • Leagoo Z1C
  • Leagoo M9
  • ARK Benefit M8
  • Zopo Speed 7 Plus

Currently, the malware is targeting users in Russia, China as well as other Central European countries. But it is only a matter of time before it possibly hits users in other countries who have been using low-cost Android devices. Dr. Web claims that their “Security Space for Android Version 12” protects Android devices from threats like Triada.

credits: HackRead

CEH Course In pune | Slink


Ashwini Gurne

Ashwini Gurne is a software developer and also a contributor for Security leaks. As a contributor, her aim is to work on latest technologies and to spread cyber awareness among general public.

Leave a Reply

Your email address will not be published. Required fields are marked *