Avast has released a new report detailing a new kind of malware called BankBot that targets customers of large banks including Wells Fargo, Chase, Citibank, and DiBa (formerly ING). Customers of these banks across several different countries were affected by the malware which has now been removed from Google Play.
The malicious BankBot code was found in apps that were masquerading as flashlight apps, which is something we’ve seen before. The code was also found hiding in a Solitaire and a Cleaner app, too. Here’s a brief description of how the malware worked and how it remained undetected by the user.
The malicious activities include the installation of a fake user interface that’s laid over the clean banking app when it’s opened by the user. As soon as the user’s bank details are entered they are collected by the criminal. In some countries, banks use transaction authentication numbers (TANs), a form of two-factor authentication required to conduct online transfers often used by European banks. The authors of BankBot intercept their victims’ text message that includes the mobile TAN, allowing them to carry out bank transfers on the user’s behalf.
Avast says this new version of BankBot was capable of performing clicks in the background via Accessibility service being enabled, which explains why Google cracked down on developers using Accessibility services that do anything beyond helping blind people to use their phones. Therefore, this method of operation is no longer capable for the malware.
These apps have since been removed from the Google Play Store, but Avast notes that Google Play Protect did not pick up that these apps were installing malware since the apps themselves usually provided the intended function and executed code to install another app from unknown sources using the Accessibility method by tricking users to grant permissions.