Cron-Linked Malware Impersonates 2,200 Banking Apps
Security researchers are warning of new malware designed to harvest banking and card details, which could be linked to the infamous Cron cybercrime group.
The Catelites Bot shares similarities with the CronBot banking Trojan which was used to steal $900,000 before the group behind it were arrested earlier this year by the Russian authorities.
That’s according to Avast’s head of mobile threat intelligence and security, Nikolaos Chrysaidos, who said it is “likely” that Cron members have used the malware in their campaigns.
The malware is dropped onto victim Android devices via fake apps on third-party stores, malvertisements or phishing pages, and appears on the user’s screen as an innocuous-looking icon called “System Application”.
If the user clicks on it the malware will ask for admin permissions, and if granted, it will remove the icon and replace it with the familiar looking Gmail, Chrome and Google Play icons.
The hacker is banking on users clicking on these popular apps at some point, and if they do it will display a fake overlay requiring them to enter their credit card details.
That’s not all: the malware also has functionality allowing it to pose as legitimate-looking banking apps from over 2,200 financial institutions.
“Once you open your own banking app, the malware activates and places a fake overlay on your actual banking app, tricking you into entering your bank login details and also your credit card info. Once you provide this, they have access to your account and credit card,” explained Chrysaidos.
“The overlay is HTML-based and not as sophisticated as other Android banking malware such as LokiBot, Red Alert, or Exobot, but the power here is clearly in the shotgun approach: using simple phishing overlay screens, the criminals are able to target many more users, increasing their likelihood of financial gain.”
Avast has found a host of other functionality which has not yet been activated, including interception of in- and outgoing SMS messages.
“It can persistently ask for specific admin rights that could wipe data from your device or even lock you out completely,” Chrysaidos added.
Source: Information Security Magazine