Android threat that steals victim login credentials for mobile banking applications was recently found on Google Play. App “Easy Rates Converter” was available on the Store for six days and downloaded over 500 times before it was removed. This Trojan lures victims into inserting their login credentials for social media, mobile banking and cryptocurrency apps. List of targeted apps is requested after start from the attacker server, based on installed apps on infected device. This list and code responsible for impersonating legitimate applications are received from the attacker’s server and then stored in database.

Figure 1. Banking Trojan impersonates Easy Rates Convertor

Functionality

After launch, Trojan drops malicious component from assets that downloads additional malicious payload from the attacker’s server. In this particular case, it downloads banking Trojan family – Red Alert 2. Downloaded payload is responsible for malicious functionality. Attacker can theoretically exchange link to downloaded different malicious app.

Figure 2. Execution model of the Trojan

After authorization, server sends more than one link to malicious applications. These apps and links are probably generated on the server.

Figure 3. Network communication of component

Once app is downloaded, it demands user to manually install it. If user cancels the installation, it will not help, because this request is displayed until victim is annoyed enough to install it. The same applies to Activate device administrator for it.





Installed Update Flash Player sends names of installed apps to the attacker’s server. Scripts on the server evaluates these apps and send back which apps should be targeted, including HTML code responsible for fake activity displayed to the victim. These information are stored in database, so after infection I could identify targeted apps. These aimed applications could be dynamically updated based on apps installed afterwards.

Figure 4. Database contains list of targeted apps

Banking Trojan sets triggers and waits in the background until one of the targeted apps is launched. Once app is executed (from templateName column), malware uses over the screen phishing to display its own malicious activity to trick the victim into entering his credentials. Credentials are then sent to the attacker server. This banker is also capable of bypassing SMS two factor authentication (2FA).

Activities in foreground (Update Flash Player) belongs to the malware and overlays targeted activities in the background.

Figure 5. Overlaying legitimate apps by malware viewed in recent apps menu

Video demonstration

Video analysis of this threat contains:

How potential victim can get infected How it steals users credentials for banking apps Code analysis How to remove it

How to remove it

At first, victim needs to deactivate device administrator rights for it by going to Settings-> Security -> Device administrators -> Secured protection-> Deactivate and then uninstall from Settings-> Apps/Application manager -> Update Flash Player -> Uninstall

FYI these apps use different names in both of these settings.





Acknowledgment

Similar dropper was recently discovered by ThreatFabric but with different malicious payload – Anubis.

References

Analysis of Red Alert 2.0

IoC

If you would like to replicate this analysis, you can download this APK sample from Koodous project for free here: Easy Rates Converter

File Hash com.hieulaixe.android.apps.apk 3F51CE5E968F34F50958F50A44468D28 loader-packed(4-2-1).dex E288216A6BD6184E55B720C7D3CD959A UpdateFlashPlayer_i80hxoyg6jdp2m6xcqa6c3uqjfdup8gd1izf7wxx_protected_213314.apk EEC38F8B8FB9C3475EA386D3AF47471D qsjbdgzslix EC52DD905CA35555CB8043CE0773C136

URL ffpanel.ru 188.68.210.33 178.132.78.51 my-apps-1026f.firebaseio.com

If you would like to stay up-to-date with the latest Android threats, follow me on Twitter and subscribe to my YouTube channel.