A new variant of the BankBot malware family is exclusively targeting Google Play in a bid to steal Android users' credit card details.
Infection begins when an unsuspecting user downloads Jewels Star Classic, a mobile game created by a developer named "GameDevTony." Upon successful installation, the app's malicious functionality waits 20 minutes after the user launches Jewels Star Classic for the first time. It then prompts them to enable something called "Google Service" in the Accessibility Services.
Figure 3 – “Google Service” listed among Android Accessibility services. (Source: ESET)
A native Android application, Accessibility Services helps users with disabilities interact with their device and other apps. It does so by receiving notifications when a user interacts with an app, for instance, and by performing gestures like clicks and swipes in order to help the user.
It's easy to see how someone might abuse Accessibility Services for conducting malicious activity on an infected device. ESET malware analyst Lukas Stefanko elaborates
on this possibility with respect to Jewels Star Classic:
"Clicking on OK grants accessibility permissions to the malware’s own accessibility service. By granting these permissions, the user gives the malware a free hand – almost literally – to carry out any tasks it needs to continue its malicious activity."
Indeed, the malware uses a fake Google service update screen to conceal all types of nefarious tasks, including the installation of apps from unknown services, the designation of BankBot as the default SMS messaging app, and the acquisition of the permission to draw over other apps. BankBot, in turn, abuses these high-level rights to create an overlay that attempts to steal a user's credit card details whenever they visit Google Play on their device. In the event the user has a two-step verification feature enabled on their bank account, the malware can then steal the resultant SMS code.
Figure 7 – Fake form requesting user’s credit card details. (Source: ESET)
This isn't the first time BankBot has abused the Accessibility Services in an attempt to infect unsuspecting users' Android devices. In August 2017, researchers at both SfyLabs
detected the fake "Google Service" prompt originating from two other applications available for download on Google's Play Store. Unlike Jewels Star Classic, however, those programs lacked an APK file that completed the infection chain.
To protect against threats such as BankBot, users should download applications only from trusted developers on Google's Play Store. They should also install an anti-virus solution onto their devices and should exercise caution around any program that seeks to add itself to the approved list of Accessibility Services.
News of this malware variant comes just days after SfyLabs detected another Android banking trojan called Red Alert 2.0