By Jason Gu (Mobile Threat Response Engineer)
In January of 2016, we found various “SmsSecurity” mobile apps that claimed to be from various banks. These apps supposedly generated one-time passwords (OTPs) that account holders could use to log into the bank; instead they turned out to be malicious apps that stole any password sent via SMS messages. These apps were also capable of receiving commands from a remote attacker, allowing them to take control of a user’s device.
Since then, we’ve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the user. We detect these malicious apps as ANDROIDOS_FAKEBANK.OPSA.
Anti-Tampering via Device Flags
The new variants we’ve seen were designed to not run on emulators. This is meant to make analysis of these samples more difficult. How does it do this? It checks the Build.prop file, which contains the build properties of the version of Android installed on the device. These variants check values in Build.prop such as PRODUCT, BRAND, and DEVICE to see if they are running on an actual physical device or an emulator.
Figure 1. Code testing for emulators
One can see how the above code tests for “generic” devices that are likely to be emulators. If it is running in one, it will not execute any malicious code to avoid dynamic analysis tools.
Figure 2. Code preventing execution on emulators
Enabling accessibility services/device administrator controls
After running, it will ask user to activate accessibility services for the malicious app. This allows it to simulate user actions, such as taps on the screen.
Figure 3. Turning on accessibility services for SmsSecurity
The malicious app will try to download and run a third-party rooting tool:
Figure 4. Code downloading rooting tool
The accessibility service will monitor the activity named com.shuame.rootgenius.ui.homepage.HomepageActivity, which is the main activity of the rooting tool. If it finds this activity, the accessibility service will find and click a button in the activity that starts the rooting process.
After getting root access, the malicious app will try to modify the oom_adj value setting of its process file to prevent the system from killing it because of low memory.
Figures 5 and 6. Code modifying value of oom_adj
The accessibility service will try to activate the malicious app as a device administrator without informing the user. It does this by attempting to click the “Activate” button found inside the settings app for this.
Figure 7. Code trying to obtain administrator access
At this stage the new SmsSecurity variants will install a TeamViewer QuickSupport app onto the device. This is a remote access tool that is supposed to be used by technical support teams to assist users on their mobile devices. In this case, it is instead used by an attacker to take over the user’s device.
Figure 8. Code for installing TeamViewer QuickSupport (click to enlarge)
To connect to the affected device, the attacker needs to read the TeamViewer ID which is displayed to the user on the device. The accessibility service reads this ID, which allows the attacker to control the device remotely. This is stored together with the other preferences in a shared file, like the older versions of SmsSecurity.
Figure 9. TeamViewer ID being displayed
Figure 10. Stored TeamViewer ID (click to enlarge)
This sample checks for the “Activate” button in multiple languages, including English, German, French, and Italian. This highlights how the current versions check the activate button in multiple OSes.
Targets and Conclusion
A wide variety of banks in Austria, Germany, Hungary, Romania, and Switzerland have been targeted by this attack. These banks are located . (Many of the Swiss banks targeted in this attack are cantonal banks.) The following banks were targeted by these attacks:
- Aargauische Kantonalbank
- Bank Austria
- Banque Cantonale de Fribourg
- BKB Bank
- Credit Suisse
- Glarner Kantonalbank
- Luzerner Kantonalbank
- Ober Bank
- Obwaldner Kantonalbank
- Raiffeisen Bank
- Schaffhauser Kantonalbank
- Zürcher Kantonalbank
The relatively wide geographical distribution of these targets would explain the multilingual nature of its routines, as the targeted customers may be fluent in various languages.
These new SmsSecurity variants represent an evolution in the capabilities of SmsSecurity. The use of Android’s accessibility features to implement malicious routines is a novel way to carry out automated activity that may well be imitated by other mobile malware families in the future. Security apps like Trend Micro Mobile Security protect against these threats by detecting these malicious apps.
Indicators of Compromise (IoCs)
The following command-and-control (C&C) servers were used by these variants:
The malicious apps are detected as ANDROIDOS_FAKEBANK.OPSA, and have the following SHA1 hashes: