New Android malware banking family was recently found targeting users from Brazil. Trojans are distributed not only through Google Play store but also on Facebook through promoted ads. Android banker impersonates a performance improving app called “Clean Droid” with over 500 installs, a Facebook monitor app “Quem viu teu perfil” with over 10,000 installs and “MaxCupons” with over 1,000 installs from the official app store. To stay under the radar, the app can only be downloaded and installed in Brazil. I reported all these apps to Google security team.

Figure 1. Courtesy of @defesa_digital

Figure 2. Infiltration available for download for more than a month

Distribution

The earliest recorded infiltration has been available for more than a month, uploaded on September 13, 2018. There are also two Facebook pages, where one of them distributes Clean Droid infiltration. Both pages were created on October 24, 2018 using the same profile picture as the one on Google Play. One of the pages uses Sao Paulo, Brazil as their address to attract more people from that particular region.

Figure 3. Facebook page for Clean Droid

Figure 4. Facebook page with address in Sao Paulo, Brazil

Functionality

Once installed and launched, the apps request to activate Accessibility services, so that the infiltration can get the name and the content of the application that has been launched – in this case it is user input and activity text. The purpose of this app is to lure users into inserting their credentials into a fake activity that belongs to the infiltration. This trojan family targets at least 26 mobile apps. The malware does not only target mobile banking apps but also financial, multimedia entertainment, social media, shopping and other applications. When I analyzed this Trojan, the attacker’s server was down, and I could not retrieve any phishing activity, however, I created a video of the first launch for illustration purposes.

Targeted applications

Here is the list of package names or their parts – such as Uber, so that it could target as many different types of services as possible.

Figure 5. Malware targeted apps to steal credentials from

Malware removal

The attacker did not implement any advanced uninstall protection, so it is not particularly difficult to uninstall infiltration from an infected device.

Go to Settings -> Apps/Application manager -> CleanDroid/Quem viu teu perfil/MaxCupons -> Uninstall





IoC

App name Number of Installs Hash Quem viu teu perfil 10,000+ F6A18F93534EE68FD86A8CD3087B87BA MaxCupons 1,000+ 3AF6DEAC02F825DDEAF0AC2EAA013FF3 CleanDroid 500+ DA7ABC91B29F8B2F33FEB1B1EDDC979A

Targeted package names:

br.com.gabba.Caixa br.com.original.bank com.itau com.mercadolibre com.bradesco br.com.bb com.contextlogic.wish com.santander.app com.santandermovelempresarial.app com.taxis99 alibaba.aliexpresshd brainweb.ifood .uber la.foton.brb.myphone .spotify .netflix .recarga android.webmotors com.itaucard com.hipercard com.credicard com.paypal.android com.android.vending com.facebook com.novapontocom.casasbahi com.b2w.americanas .netshoes

Acknowledgment

This analysis would not be possible without @defesa_digital who discovered this threat and @MalwareHunterBR who informed me about it.

If you would like to stay up-to-date with the latest Android threats, feel free to follow me on Twitter – Lukas Stefanko.

