Malicious Android banker for Serbank
Sonicwall Threats Research team observed reports of another Android banker that targets a specific bank, this time the target is a Russian bank - Serbank.
Once the apk is installed and opened we see an overlay that covers the entire screen, this overlay asks for Administrative access and the language used is Russian. There is no way for the user to close this overlay and he is forced to grant the privileges. Upon receiving administrative access however the app displays an error message (shown in the images below) and closes the User Interface. This gives an impression to the user that the app stopped working but in reality the app keeps running in the background.
The app initiates a WebSocket connection with the attacker and uses this protocol to perform further communication:
The app transmits sensitive data stored on the device to the attacker:
- Sensitive device related data is transmitted to the attackers:
- Operator Name
- Phone number
- User's contact list:
During our analysis the app attempted to send SMS to Sberbank which is a Russian banking and financial services company. As seen in the image below the app sends a message "balance" to the number 900, this is a facility provided by Sberbank to its customers for checking their balance:
The code in the app is obfuscated to make it difficult for automated tools and security analysts to easily understand/analyze its real motives:
This app has an image for the logo of Serbank in its resources folder:
We installed the official Serbank app on the device but did not see any activity that would use this image. In the past we have seen apps that would show a custom overlay image when a particular targeted app is opened on an infected device, however that was not the case here. Perhaps there will be some additions to this app in the future.
Overall this is yet another targeted Android banker malware that attempts to extract sensitive user information and send SMS messages to perform specific activities.
MD5 with package name com.jfaxw.azatbtvf:
SonicWALL provides protection against this threat via the following signature:
- GAV: AndroidOS.Banker.SB (Trojan)
The sample communicated with the following domain/ip: