Banking apps targeted in Brazil by a revamped trojan

A revamped banking malware dubbed BrazKing (previously referred to as PixStealer by Check Point Research and detected around November 2018) is found targeting banking apps in Brazil. 

The malware which has been classified as an Android remote access trojan (RAT) is capable of conducting financial fraud attacks, equipped with the ability to steal two factor authentication codes, enabling transferal of money from the victim’s account into an account owned by the threat actor. 

Shahar Tavor, a researcher associated with IBM X-Force, reported that “It turns out that its developers have been working on making the malware more agile than before, moving its core overlay mechanism to pull fake overlay screens from the command-and-control (C2) server in real-time.” In addition to this, “The malware […] allows the attacker to log keystrokes, extract the password, take over, initiate a transaction, and grab other transaction authorization details to complete it.” 

IBM X-Force is a cloud-based intelligence platform that enables research on security threats, collection of intelligence, consultation with experts and collaboration with peers.   

In an attempt to first gain access to a target’s device, a social engineering message containing a link to a HTTPS website is sent. The message sent is disguised as a security warning with a suggestion to update the device to the latest version however, for the intrusion to be successful, the target will need to directly enable a setting to allow installation of apps from unknown sources. 

Unlike the previous version of the BrazKing malware which presented a fake screen obtained from a hardcoded URL whilst the legitimate app was in use, the newer version of the malware is executed on the server-side to enable the series of targeted apps to be altered without a change being made upon the malware.   

“The detection of which app is being opened is now done server side, and the malware regularly sends on-screen content to the C2. Credential grabbing is then activated from the C2 server, and not by an automatic command from the malware”, stated Tavor. 

A common trait associated with banking trojans is that upon successful installation, only a single action is required from the victim such as the enabling of Android’s Accessibility Service. Once enabled, the malware is equipped with the required permission needed to gather private information including SMS messages, contact lists and keystroke capturing.   

As described by Lukas Stefanko an ESET researcher “Accessibility Service is long known to be the Achilles’ heel if the Android operating system.” 

“Should the user attempt to restore the device to manufactory settings, BrazKing would quickly tap the ‘Back’ and ‘Home’ buttons faster than a human could, preventing them from removing the malware in that manner,” said Tavor.   

“Major desktop banking trojans have long abandoned the consumer banking realms for bigger bounties in BEC (business Email Compromise) fraud, ransomware attacks and high-value individual heists,” reported Tavor. “This, together with the ongoing trend of online banking transitioning to mobile, caused a void in the underground cybercrime arena to be filled by mobile banking malware.”