Carding 4 Carders
Professional
- Messages
- 2,728
- Reaction score
- 1,574
- Points
- 113
The content of the article
One beautiful sunny May morning, my breakfast was interrupted by a phone call from a friend, an entrepreneur involved in the transportation of goods. In a nervous voice, he said that 2 million rubles had disappeared from his bank account. And the bank’s support service threw up its hands, sending a friend to write a statement to the police, since the money transfers were made using a mobile application and confirmed via SMS, which by all appearances looks like a completely legal financial transaction.
"You're a programmer," my friend moaned into the phone, "tell me what to do". Unfortunately, it was too late to do anything, because the tool for stealing money was a banking Trojan (banker), which settled on my friend's phone long before this unfortunate incident. And it was possible to prevent the loss of money only by studying in advance the principles of operation and methods of combating this type of malicious applications. What we will do in today's article.
Banking Trojans before
The first full-fledged banking Trojans for the Android mobile platform were discovered back in 2011. No, malware that can transmit incoming SMS messages to attackers, including those containing mTAN codes (transaction authentication codes), existed before that. In addition, Trojans were known to be able to operate with USSD commands. They could transfer the amount set by the villains from a Bank card "linked" to the phone, adding funds to the balance of the left mobile phone, or find out the balance of funds in the account. But of course, they were not full-fledged banking Trojans, because they were noticeably inferior in functionality to their desktop counterparts.
Everything changed with the introduction of Android - SpyEye. This Trojan worked in conjunction with the SpyEye malware for Windows, thanks to which he gained the ability to bypass two-factor authentication. He acted as follows.
As soon as a user of infected Windows opened a banking site in the browser, Trojan running on the computer performed a web injection, embedding a piece of HTML code into the page, which he loaded from the config. Since the injection was performed on the client side, the banking site URL in the browser's address bar turned out to be correct, and the connection was established over the HTTPS Protocol. Therefore, the content of the web page did not arouse any suspicions in the victim.
The text embedded by the Trojan in the banking site stated that the Bank suddenly changed its working conditions and to log in to the Bank-client system, you need to install a small application with a size of about 30 KB on your mobile phone by downloading it from the suggested link "for security reasons". The app, of course, was the mobile Android Trojan - SpyEye.
This malware did not create any icons, and it could only be found in the list of running processes called "System". The main task of the Trojan is to intercept all incoming SMS messages and forward them to the control server, the address of which the malware took from the XML config.
When the victim enters the username and password on the banking site in the browser window, the SpyEye Windows Trojan intercepts and sends them to the bot owners. After that, attackers can log in to the Bank-client system at any time using this data on the Bank's website, but the server will send the account holder a verification code in an SMS, which must be entered in a special form. This message will be intercepted by the mobile version of SpyEye and transmitted to virus writers. Using SMS interception, they will be able to perform any operations on the account, for example, empty it completely.
The bottleneck of this rather complex scheme was the need to synchronize the banking and desktop components of the Trojan bundle, but the virus writers managed to successfully solve this problem. For several months, SpyEye caused a stir among users of banking services, until it got into the databases of all popular antivirus programs, after which its activities gradually came to naught.
Banking Trojans today
After some time, employees of it departments of banks gradually mastered web programming, and Bank clients finally migrated from desktops to mobile phones in the form of Android applications. This made life much easier for virus writers: they no longer needed to bother with Trojans on Windows, and they were finally able to fully focus their efforts on developing mobile banking Trojans. After all, the owner of an Android smartphone with a banking app on board is a walking wallet, which every self-respecting virmaker dreams of emptying.
Like other malware for Android, banking Trojans were distributed under the guise of any useful programs - "universal video codecs" or flash players, including through the official Google Play catalog. The Trojan functionality of such applications, of course, was not advertised by the developers, and it appeared either after some time, or after downloading the next update. So, in one of the cases, a banking Trojan was distributed in the form of a program that allegedly combines the capabilities of Bank clients of several large credit institutions at once. Why do you need a bunch of separate apps when you can download one with a Trojan instead? There are also known cases when malware was embedded in genuine applications of some banks, modified by intruders. Such applications were distributed from fake Bank pages designed exactly like the real ones, and victims were lured to them by sending phishing emails.
Another vector of distribution of mobile banking Trojans is phishing SMS mailings. This is usually the case. A user registered on one of the free ad sites receives an SMS message with an exchange offer. At the same time, the recipient is called by name, which should lull him to sleep-virus writers previously parsed the user base of this site, pulling out all the useful information from there. When you click on a short link from the message, the potential victim is directed to an intermediate page, where it is determined that the user entered the site from a mobile device running Android, and its mobile operator is identified, after which it is redirected to a fake page with a message about the receipt of MMS, designed in the style of the corresponding payment system. After clicking on the button, the Trojan starts downloading.
The first mobile banking Trojans worked very simply. If the malware needed administrator rights to function, it persistently displayed a window on the screen with a request to grant it the appropriate permissions, until the exhausted user agreed to this action. But sometimes virus writers went to various tricks to deceive a potential victim. For example, the Android banking Trojan.BankBot.29 disguised the admin rights request window as a Google Play app message: "Your version is outdated, use the new version?» When the user tried to click on the on-screen "Yes" button, the Trojan's layout disappeared, and the tap got to the Accept button in the DeviceAdmin dialog box, as a result of which the malware received administrative privileges.
Another banking Trojan annoyed users with a request to enable Accessibility Service mode-special features for people with health restrictions. And having received such permission, he turned on the admin for himself.
After that, Troy just hangs in the mobile phone's memory, waiting for the mobile banking app to launch. When this event occurs, it determines which application is running and draws the corresponding fake login and password entry form on top of it, and the entered data is immediately sent to the management server via HTTP in JSON format or to the specified phone number by SMS message. The configuration of a mobile banking Trojan can contain HTML code of several dozen forms with different design that copies the application interface of the most popular banks. After that, all that remains is to intercept and send SMS messages with one-time passwords in the same direction in order to give bot owners full access to the Bank account. Incoming messages from banks are usually hidden so as not to arouse the victim's suspicions.
It is difficult to say how much money was stolen from the accounts of Android users in this way, but the amounts here probably appear in six figures. Even if the Trojans were unable to access the Bank account for some reason, they successfully stole the Bank card details. For this purpose, for example, fake Windows linking the map to the Google Play app were widely used.
It is not easy to buy something valuable in decent online stores using stolen banking details, but it is quite possible to pay for online toys or music purchases in some service. Such sites rarely bother with serious verification of payment details, since transactions there are usually cheap. This is what the attackers use.
Bankbots - a type of banking Trojan
Bankbots are a side branch of the evolution of mobile banking Trojans. If ordinary banking Trojans work more or less autonomously, then bankbots are able to receive various control commands and execute them on an infected device.
Commands can be sent over HTTP, for example in JSON format, via SMS, and in some cases even via a special Telegram channel. Most bankbots enable or disable interception of incoming SMS messages on command, can hide received SMS messages (you can hide messages from certain numbers or with certain keywords), turn off the sound of a mobile phone, send messages to a number specified by intruders with the specified content, or execute USSD commands. The bot driver can also change the address of the management server or the system phone number to which information will be sent if it was not transmitted via HTTP.
Many bankbots can also download and install APK files on their mobile device, which the bot owner will provide a link to in the team. As a result, other Trojans that have a wider range of functions end up on the infected device. Also, some bankbots are able to display an activity with parameters sent by the villain on the smartphone screen - this opens up the widest opportunities for phishing and implementing the most sophisticated fraudulent schemes. Well, almost all such malware can merge the address book, SMS correspondence and other confidential data to the command server, as well as redirect incoming calls to the phone number specified in the command. Individual instances of Trojans also have self-protection functions: they track the names of processes running in the system and, if an antivirus is detected, try to unload it using administrator rights.
Almost all bankbots use a web admin panel that provides bot owners with detailed statistics on infected devices and information stolen on them.
Distribution of banking Trojans
With the spread of mobile devices on Android, the production of Trojans for this platform began to gradually turn into a real underground industry. This also fully affected bankers.
In the darknet, ads began to appear about the rental of banking Trojans for Android, with the provision of an admin panel and technical support to the client. And then builders began to spread, using which anyone without any programming skills could build a banking Trojan disguised as a selected application or a specific bank-client system.
Thanks to this, the number of Bank Trojans has been growing, if not exponentially, then very noticeably since about 2017. And the chances of catching a similar infection among users of Android smartphones have also increased significantly. And given the fact that most of these malware programs work with administrator privileges, it is not so easy to remove them from the device: to do this, at best, you will have to start the system in safe mode, at worst reset the device to factory settings with all the ensuing consequences.
Protection against banking Trojan
It is a proven fact that even disabling the ability to install applications from third-party sources on your phone does not always protect the user from the penetration of bankers. There are many cases of downloading such malware even from the official Google Play catalog: the technology for checking applications hosted there is still imperfect.
In addition, the Android operating system is distinguished by a significant number of vulnerabilities that can be used by virus writers for their own, by no means noble purposes. Antivirus programs can protect your device from unauthorized malware penetration, but whether to install them or not is a personal matter for Android users themselves. At least, after the incident with the theft of money, my merchant friend decided not to push his luck any further and downloaded the following program on his phone: it will not be superfluous.
(c) https://spy-soft.net/banking-trojans/
- Banking Trojans before
- Banking Trojans today
- Bankbots are a type of banking Trojan
- Distribution of banking Trojans
- Protection against banking Trojan
One beautiful sunny May morning, my breakfast was interrupted by a phone call from a friend, an entrepreneur involved in the transportation of goods. In a nervous voice, he said that 2 million rubles had disappeared from his bank account. And the bank’s support service threw up its hands, sending a friend to write a statement to the police, since the money transfers were made using a mobile application and confirmed via SMS, which by all appearances looks like a completely legal financial transaction.
"You're a programmer," my friend moaned into the phone, "tell me what to do". Unfortunately, it was too late to do anything, because the tool for stealing money was a banking Trojan (banker), which settled on my friend's phone long before this unfortunate incident. And it was possible to prevent the loss of money only by studying in advance the principles of operation and methods of combating this type of malicious applications. What we will do in today's article.
Banking Trojans before
The first full-fledged banking Trojans for the Android mobile platform were discovered back in 2011. No, malware that can transmit incoming SMS messages to attackers, including those containing mTAN codes (transaction authentication codes), existed before that. In addition, Trojans were known to be able to operate with USSD commands. They could transfer the amount set by the villains from a Bank card "linked" to the phone, adding funds to the balance of the left mobile phone, or find out the balance of funds in the account. But of course, they were not full-fledged banking Trojans, because they were noticeably inferior in functionality to their desktop counterparts.
Everything changed with the introduction of Android - SpyEye. This Trojan worked in conjunction with the SpyEye malware for Windows, thanks to which he gained the ability to bypass two-factor authentication. He acted as follows.
As soon as a user of infected Windows opened a banking site in the browser, Trojan running on the computer performed a web injection, embedding a piece of HTML code into the page, which he loaded from the config. Since the injection was performed on the client side, the banking site URL in the browser's address bar turned out to be correct, and the connection was established over the HTTPS Protocol. Therefore, the content of the web page did not arouse any suspicions in the victim.
The text embedded by the Trojan in the banking site stated that the Bank suddenly changed its working conditions and to log in to the Bank-client system, you need to install a small application with a size of about 30 KB on your mobile phone by downloading it from the suggested link "for security reasons". The app, of course, was the mobile Android Trojan - SpyEye.
This malware did not create any icons, and it could only be found in the list of running processes called "System". The main task of the Trojan is to intercept all incoming SMS messages and forward them to the control server, the address of which the malware took from the XML config.
When the victim enters the username and password on the banking site in the browser window, the SpyEye Windows Trojan intercepts and sends them to the bot owners. After that, attackers can log in to the Bank-client system at any time using this data on the Bank's website, but the server will send the account holder a verification code in an SMS, which must be entered in a special form. This message will be intercepted by the mobile version of SpyEye and transmitted to virus writers. Using SMS interception, they will be able to perform any operations on the account, for example, empty it completely.
The bottleneck of this rather complex scheme was the need to synchronize the banking and desktop components of the Trojan bundle, but the virus writers managed to successfully solve this problem. For several months, SpyEye caused a stir among users of banking services, until it got into the databases of all popular antivirus programs, after which its activities gradually came to naught.
Banking Trojans today
After some time, employees of it departments of banks gradually mastered web programming, and Bank clients finally migrated from desktops to mobile phones in the form of Android applications. This made life much easier for virus writers: they no longer needed to bother with Trojans on Windows, and they were finally able to fully focus their efforts on developing mobile banking Trojans. After all, the owner of an Android smartphone with a banking app on board is a walking wallet, which every self-respecting virmaker dreams of emptying.
Like other malware for Android, banking Trojans were distributed under the guise of any useful programs - "universal video codecs" or flash players, including through the official Google Play catalog. The Trojan functionality of such applications, of course, was not advertised by the developers, and it appeared either after some time, or after downloading the next update. So, in one of the cases, a banking Trojan was distributed in the form of a program that allegedly combines the capabilities of Bank clients of several large credit institutions at once. Why do you need a bunch of separate apps when you can download one with a Trojan instead? There are also known cases when malware was embedded in genuine applications of some banks, modified by intruders. Such applications were distributed from fake Bank pages designed exactly like the real ones, and victims were lured to them by sending phishing emails.
Another vector of distribution of mobile banking Trojans is phishing SMS mailings. This is usually the case. A user registered on one of the free ad sites receives an SMS message with an exchange offer. At the same time, the recipient is called by name, which should lull him to sleep-virus writers previously parsed the user base of this site, pulling out all the useful information from there. When you click on a short link from the message, the potential victim is directed to an intermediate page, where it is determined that the user entered the site from a mobile device running Android, and its mobile operator is identified, after which it is redirected to a fake page with a message about the receipt of MMS, designed in the style of the corresponding payment system. After clicking on the button, the Trojan starts downloading.
The first mobile banking Trojans worked very simply. If the malware needed administrator rights to function, it persistently displayed a window on the screen with a request to grant it the appropriate permissions, until the exhausted user agreed to this action. But sometimes virus writers went to various tricks to deceive a potential victim. For example, the Android banking Trojan.BankBot.29 disguised the admin rights request window as a Google Play app message: "Your version is outdated, use the new version?» When the user tried to click on the on-screen "Yes" button, the Trojan's layout disappeared, and the tap got to the Accept button in the DeviceAdmin dialog box, as a result of which the malware received administrative privileges.
Another banking Trojan annoyed users with a request to enable Accessibility Service mode-special features for people with health restrictions. And having received such permission, he turned on the admin for himself.
After that, Troy just hangs in the mobile phone's memory, waiting for the mobile banking app to launch. When this event occurs, it determines which application is running and draws the corresponding fake login and password entry form on top of it, and the entered data is immediately sent to the management server via HTTP in JSON format or to the specified phone number by SMS message. The configuration of a mobile banking Trojan can contain HTML code of several dozen forms with different design that copies the application interface of the most popular banks. After that, all that remains is to intercept and send SMS messages with one-time passwords in the same direction in order to give bot owners full access to the Bank account. Incoming messages from banks are usually hidden so as not to arouse the victim's suspicions.
It is difficult to say how much money was stolen from the accounts of Android users in this way, but the amounts here probably appear in six figures. Even if the Trojans were unable to access the Bank account for some reason, they successfully stole the Bank card details. For this purpose, for example, fake Windows linking the map to the Google Play app were widely used.
It is not easy to buy something valuable in decent online stores using stolen banking details, but it is quite possible to pay for online toys or music purchases in some service. Such sites rarely bother with serious verification of payment details, since transactions there are usually cheap. This is what the attackers use.
Bankbots - a type of banking Trojan
Bankbots are a side branch of the evolution of mobile banking Trojans. If ordinary banking Trojans work more or less autonomously, then bankbots are able to receive various control commands and execute them on an infected device.
Commands can be sent over HTTP, for example in JSON format, via SMS, and in some cases even via a special Telegram channel. Most bankbots enable or disable interception of incoming SMS messages on command, can hide received SMS messages (you can hide messages from certain numbers or with certain keywords), turn off the sound of a mobile phone, send messages to a number specified by intruders with the specified content, or execute USSD commands. The bot driver can also change the address of the management server or the system phone number to which information will be sent if it was not transmitted via HTTP.
Many bankbots can also download and install APK files on their mobile device, which the bot owner will provide a link to in the team. As a result, other Trojans that have a wider range of functions end up on the infected device. Also, some bankbots are able to display an activity with parameters sent by the villain on the smartphone screen - this opens up the widest opportunities for phishing and implementing the most sophisticated fraudulent schemes. Well, almost all such malware can merge the address book, SMS correspondence and other confidential data to the command server, as well as redirect incoming calls to the phone number specified in the command. Individual instances of Trojans also have self-protection functions: they track the names of processes running in the system and, if an antivirus is detected, try to unload it using administrator rights.
Almost all bankbots use a web admin panel that provides bot owners with detailed statistics on infected devices and information stolen on them.
Distribution of banking Trojans
With the spread of mobile devices on Android, the production of Trojans for this platform began to gradually turn into a real underground industry. This also fully affected bankers.
In the darknet, ads began to appear about the rental of banking Trojans for Android, with the provision of an admin panel and technical support to the client. And then builders began to spread, using which anyone without any programming skills could build a banking Trojan disguised as a selected application or a specific bank-client system.
Thanks to this, the number of Bank Trojans has been growing, if not exponentially, then very noticeably since about 2017. And the chances of catching a similar infection among users of Android smartphones have also increased significantly. And given the fact that most of these malware programs work with administrator privileges, it is not so easy to remove them from the device: to do this, at best, you will have to start the system in safe mode, at worst reset the device to factory settings with all the ensuing consequences.
Protection against banking Trojan
It is a proven fact that even disabling the ability to install applications from third-party sources on your phone does not always protect the user from the penetration of bankers. There are many cases of downloading such malware even from the official Google Play catalog: the technology for checking applications hosted there is still imperfect.
In addition, the Android operating system is distinguished by a significant number of vulnerabilities that can be used by virus writers for their own, by no means noble purposes. Antivirus programs can protect your device from unauthorized malware penetration, but whether to install them or not is a personal matter for Android users themselves. At least, after the incident with the theft of money, my merchant friend decided not to push his luck any further and downloaded the following program on his phone: it will not be superfluous.
(c) https://spy-soft.net/banking-trojans/
Last edited by a moderator:
