Bad Behaviour: How to detect banking trojans

Introduction

A few months ago, the Group-IB Threat Intelligence team detected the activity of a mobile Android trojan – Godfather. We unraveled how a reincarnated Anubis Trojan metastasized to target the users of 400 banks, crypto services, and fintech companies in 16 countries, including the US, France, Spain, Italy, Turkey, Germany, the Netherlands, etc.

Although old malware samples get upgraded and new malware strains appear regularly, they all share similar goals and use similar methods to defraud users, which allow detection without a malware signature. Calling out bad Trojan behavior can help detect fraud attempts more effectively. That’s what we intend to talk about in the blog: what are the indicators that we use to identify new or modified Trojans to stop fraud attempts?

The purpose of the blog is to make customers and businesses aware of how banking trojan is leveraged by attackers to steal sensitive financial information and review the tell-tale signs of mistakenly downloading one. Also, we discuss what steps financial institutions can take to assertively defend their customers and improve security.

What is a banking Trojan?

A banking Trojan is a type of malicious software (malware) specifically designed to steal sensitive financial information from individuals and businesses. It often disguises itself as a legitimate program or file to trick users into downloading and installing it onto their devices.

Once the malware is installed on a user’s computer or mobile device through drive-by-download (usually incentivized with some form of a reward/update), it can cause a great deal of damage to the user and the bank, such as enabling unsolicited transactions, data/ identity theft, building a command-and-control structure, and more.

Malware can take many forms to fulfill a specific intent. As for committing fraud, mobile malware aims to get significant rights to manage the device to capture login credentials and other important information (SMS, OTPs, and so on). However, their defense evasion and persistence techniques are complex. Therefore, banking institutions today need a robust fraud protection system in place that relies on behavior analysis.

As more than 89% of consumers use banking apps today, not everyone considers double-checking if they’re installing it from the right source. In fact, cybercriminals are constantly improving their methods to appear more credible to potential victims, making it hard to recognize a social engineering attempt.

In the screenshot below, you can see an example of a smishing attack impersonating a legitimate bank. What an unsuspecting user would see is a legitimate bank’s name in the sender field and a phishing link imitating a real banking domain. The phishing link leads a recipient to a fake website hosting a malicious third-party app.

Figure 1. An example of a smishing attack impersonating a legitimate bank

Banking trojan is often embedded in third-party applications that impersonate well-trusted financial sector companies.

The Dangers of Banking Trojans

Banking trojan acts as a personal attack vector that wreaks havoc on your customers’ security and finances. Mobile banking trojan, in particular, has increased exponentially with the digital banking boom in recent years. According to the Hi-tech Crime Trends 2022/2023 report, 14 Android banking Trojans were detected as active between H2 2021 – H1 2022, and 6 of them were new.

Figure 2. New Android banking trojans detected between H2 2021- H1 2022

An easier conduit for banking trojan has been mobile devices. They hold a lot of personal information – location, work, and financial data. The combined value of all the data makes malware extremely dangerous; especially when considering the malware’s tendency to infect more devices using the victim’s contact.

Here are several ways in which malware can get on one’s smartphone:

• Smishing (SMS phishing) and email phishing can be anything from claiming a prize to proving your identity with your SSN.
• Such messages often hide behind the actual ones’ numbers and email addresses.
• Popups and fake alerts on sketchy websites that require one to run a security check or download the new version of a program.
• File sharing services – malware can be hidden behind illegal music or movie downloads.
• Rogue clickbait links distributed over social media.

Figure 3: Example of Smishing

Sandbox Evasion

Malware is constantly re-created to evade detection by anti-malware systems. When it’s discovered by a sandbox, signatures are created to describe the malware and its behavior, and these signatures are then spread throughout the anti-malware world, reducing the number of victims the malware can affect.

To counter this, attackers are constantly improving their methods to detect sandboxes, so the malware doesn’t reveal its malicious behavior while under observation.

One common method used by malware to detect a sandbox environment for “Red Pills,” or static values is device-based evasion. Since many sandboxes run on virtual machines, malware often checks for virtual machine-specific system properties, such as MAC addresses, serial numbers, device drivers, and system modules. If there are discrepancies in the properties, the malware can easily detect the sandbox and evade detection.

However, advanced sandboxes try to overcome this by presenting realistic values for these properties. This makes it harder for malware to evade detection, but there’s still a chance that malware can slip through by analyzing runtime behaviors. For example, some code sequences behave differently on a bare-metal machine compared to an emulator.

Another approach is environment-based evasion, where the sandboxes use bare-metal devices instead of virtual machines or emulators. This eliminates the possibility of detecting emulation, but it doesn’t guarantee that the environment is prepared to look genuine.

If a sandbox environment appears too immaculate, with little user activity, or hardware/software unrealistic values, malware can use this difference to evade detection and even determine the true age of the system.

Banking trojan detection

Figure 4. The potential disruption caused by malware when successfully run and how it can be detected

There are two countermeasures to a malware campaign.

1. Fraud Intelligence

• Gathering information about the application and comparing its certificate deviation to other application certificates.
• Matching known trojan signatures to the app on a device.
• Suspicious Android permissions:
  • PROCESS_OUTGOING_CALLS
  • SEND_SMS
  • WRITE_EXTERNAL_STORAGE
  • READ_EXTERNAL_STORAGE
  • RECEIVE_SMS

Figure 5. Representation of a malware attack in the Group-IB fraud Matrix

2. Bad behavior approach

Detecting a new or modified Trojan’s attack cannot rely on signature-based detection. That’s where ‘Behaviour Analysis’ comes into play.

Below you can find the report created by Group-IB’s Fraud Protection system following the analysis of the device infected with the Godfather Trojan.

Figure 6. The image displays session anomalies detected and the alerts triggered

Supposedly, an incident took place on 28.12.2022, during the mobile banking session 642142ff-86ba-11ed-b06e-523a0874b795 (CSID: MDuDf77YOPoT5CfİW31XVjefbJl1Kx582e02), Group-IB pushed both types of alerts – statistical and behavioral-based.

Seeing that there is a malicious software event triggered as well as knowing that the event was triggered by package “com.windscribe.vpn”, it is highly likely that the malicious software was masquerading itself as “windscribe vpn” application when the affected user possibly downloaded it.

After its installation, the malware had control over the device using these permissions:

• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.CALL_PHONE
• android.permission.READ_PHONE_STATE
• android.permission.READ_CONTACTS
• android.permission.BIND_ACCESSIBILITY_SERVICE [Accessibility services are widely used by malware software and trojans in order to take control of a victim device.]
• android.permission.CHANGE_NETWORK_STATE
• android.permission.DISABLE_KEYGUARD
• oppo.permission.OPPO_COMPONENT_SAFE
• android.permission.RECEIVE_BOOT_COMPLETED
• com.huawei.permission.external_app_settings.USE_COMPONENT
• android.permission.MANAGE_EXTERNAL_STORAGE
• android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
• android.permission.QUERY_ALL_PACKAGES
• android.permission.ACCESS_WIFI_STATE

Based on the behavior logged after the accessibility services were accessed, there’s a high potential that the malicious software was purchasing and selling currency (converting currency) and then depositing the money into an account.

Figure 7. Activity depicting malicious software exchanging currency

Want a glimpse of Group-IB’s intelligence-powered solution in action? See how Fraud Protection detects another malware Mailbot in the video demo.

Prevent banking trojans with Fraud Protection

The upsides of mobile banking technology for financial service providers are aplenty, but security risks, being a downside, can quickly outweigh the perks. Therefore, banks must take several measures to detect and mitigate such threats. The first step, in this direction, is imparting security knowledge and promoting precautionary behavior among your customers.

Another crucial aspect of detection is the ability to handle obfuscated malware correctly. Fraud Protection leverages Group-IB’s experience in threat intelligence, signature, behavioral, and cross-channel analytics to detect threats invisible to traditional transactional anti-fraud systems.

Through Group-IB’s Fraud Protection, strengthen your network security by proactively detecting and taking down threats.