ransomware-2320941_1280
Android ransomware. TheDigitalArtist/Pixabay

A new version of a mobile banking malware has again been detected in the Android Play Store. Its method of attack involves utilising a sneaky overlay to steal the user's banking information.

Avast has joined forces with ESET and SfyLabs to investigate a new version of the malware dubbed BankBot. The trojan has already been discovered in numerous apps in Google Play this year, but according to the research, it has found its way back to the Android store by hiding itself in flashlight apps.

The study mentions Google removing older versions of apps infected with BankBot, but mentions several more active until November 17, “long enough for the apps to infect thousands of users.” Nikolaos Chrysaidos, writing for the Avast blog, lays out how the new version infects the device and steals the user’s banking info.

First appearing in apps like “Tornado FlashLight,” “Lamp For DarkNess” and “Sea FlashLight,” the malware scans the phone once installed. It then checks the device for any of the apps included in a “hard coded, pre-computed SHA1 list of 160 mobile apps.” As soon as BankBot identifies at least one of these apps, it will then attempt to download another app from a webserver.

The infectious service tricks the user into providing it with app admin rights. It will then wait for two more hours before its next step, something that Avast thinks is a way to evade the cautionary checks done by Google.

After tricking the user to install an APK and granting it with admin rights, it will move on to the next step. According to the blog, “When the user opens one of the aforementioned banking apps, the dropped app is activated and creates an overlay on top of the genuine banking app.” Below is a video showcasing how the overlay quickly appears as soon as they open the local Czech Airbank app.

Of course, as soon as the users enter their banking info, the details are sent to the cyber criminals. Even if the owner has turned on two-factor authentication, BankBot can also trigger a functionality that allows it to steal SMS.

The blog post notes that the banking trojan is inactive in Russia, Ukraine and Belarus. “This is most likely to protect the cyber criminals from receiving unwanted attention from law enforcement authorities in these countries,” it reads.

Reports of the new BankBot malware version comes after a series of malware was discovered in Google Play. Last week, Malwarebytes analysed a new variant of Android malware that targets users based on where they live.

Nikolaos Chrysaidos/YouTube