- 19% of Android users encountered a mobile threat at least once during the year - nearly one in five users
- 53% of Android-attacks used mobile Trojans designed to steal the user's money (SMS Trojans and banking Trojans)
Kaspersky Security Bulletin 2014
Monday, March 9, 2015
Banker backdoor makes your device his b*tch
Russian backdoor makes your phone its bot by receiving commands from
command & control (C&C) server or through Google Cloud Messaging (GCM)
push notification. Malware attempts to obtain your credit card information, while
acting as Play Market.
By installing application you will get a "romantic" icon in your
launcher with fishy name "System".
In cases like that, when application icon is so tempting to launch with
such a credible name, you should by all means resist the temptation to launch
it, and immediately remove it.
When you can't resist, just like I couldn’t, you will receive and
unexpectedly high phone bill :).
After tapping on a "hungry lady" you will be prompted to grant
device admin access to the app.
Request device admin access
Google Play" to get free content.
Of course I was excited, so I tapped on ACTIVATE to get rid of that
annoying window, so I could see the rest of the pretty lady.
Application doesn't show any other window, but starts to push notifications
and hides the launching icon. That's when it starts to run in
background. Notification doesn't look like it has something in common with
previously started application, but acts as a Play Market request.
Opening the notification you will be requested to enter your credit card
information because of some authorization error caused by Google Play.
Billing information window
Credit card information is then sent to remote server.
Backdoor will start "update" service that will firstly register
device on C&C server by sending unique information of your device (IMEI,
phone number, country, operator name) and receives bot identification number (bot_id)
and password (bot_pwd) to identify itself when communicating with server.
Bot establishes a connection in max 5 second intervals or less requesting
commands from server.
There are four different commands:
- set_intercept - intercept
received SMS’s, can intercept all received messages or just ones filtered by
- set_interval - interval of
server communication, server contact interval can be max 5 seconds
- send_sms - send SMS
- set_server- change the
It also has a spy activity defined in the manifest, where broadcast
receiver for incoming SMS is set. All of your received messages are sent to
remote server, where some of them or all of them, depends on received
command, aren't even shown to you.
There is also implemented communication by push notifications from Google
Cloud Messaging. Based on this, push messages can invoke notification
requesting credit card information, (mentioned earlier) or sending SMS.