Android banking malware with a twist in the delivery

Filed Under: Android, Featured, Google, Malware

Thanks to Anna Szalay of SophosLabs for the technical background to
(and, indeed, the idea for) this article.

In baseball (or so I am told), it's a curveball or a knuckleball.

In cricket, an altogether more slippery and treacherous game, it's a googly or a doosra.

You're expecting the ball to come at you in a predictable direction.

But a hidden twist in the action brings the onslaught from another angle altogether.

Here's an intriguing tale of an Android malware curveball spotted recently in SophosLabs.

The crooks want to infect you with malware that knows how to intercept incoming SMSes and redirect their content elsewhere.

You can see where this is going: mobile malware that reads your SMSes before you do can steal important data such as the two-factor authentication (2FA) codes sent by your email provider or your bank, giving cybercriminals a way into your account despite the extra layer of protection in place.

But until the crooks can get their malicious Android package (APK file) into the Play Store, you're not going to be able to install it unless you have changed the default security settings to allow apps from outside Google's official marketplace:

There may be another way in, however, even if you haven't enabled so-called "off-market" apps.

Many, or at least some, of you may have enabled Developer Options on your device:

Once you have enabled Developer Options, you can turn on Android debugging and get (very handy) low-level acccess to your device via USB, using what is known as ADB, or the Android Debug Bridge:

You'll notice the warning about allowing you to "install apps on your device without notification," and that's the backdoor that the creators of the Troj/DwnlAPK-A malware are looking for.

Even if you have the front door locked to keep unapproved apps out, the USB debugging backdoor will allow any app in.

Here's what Troj/DwnlAPK-A does if it manages to infect your computer.

Installs a bogus "Service for adobe client product" under the name "Object Update Monitor":

Downloads a configuration file iconfig.txt listing the next files to fetch.

Fetches the files from iconfig.txt.

Runs ok.bat to install the downloaded Android malware.

The files SAMSUNG.EXE and LG.EXE appear to be regular, clean files that enable full USB-to-phone connectivity on Samsung and LG devices respectively.

→ We haven't checked whether this means the malware will fail if you have a phone or tablet from another vendor. If so, that's handy for you, but still amounts to security through obscurity - the crooks could just package different installers in their next version of the malware, or even in the next version of iconfig.txt. On a Mac, for what it's worth, USB hookup is the other way around: regular USB connectivity for Android requires special Android File Transfer software (not needed on a Windows PC), while the Android Debug Bridge "just works" without additional drivers.

Similarly, the adb*.* files and aapt.exe come from the Android software development kit (SDK), so the malware depends only on your device having debugging enabled, not on the SDK being installed on your computer.

The file AV-cdk.apk, of course, is the Android malware package, detected by Sophos as Andr/FakeKRB-H.

The side-effect of ok.bat is the same as running the following command at a command prompt:

C:\Users\Yourname> adb install AV-cdk.apk

The name AV-cdk may sound as though it's pretending to be an anti-virus package, but once installed, the app hides in plain sight with a Google Play Store icon,

However, it gives itself the rather Appleish name of "Google App Store":

The real Play Store app simply calls itself "Play Store":

With functionality to intercept your SMSes, amongst other malicious functionality, the Andr/FakeKRB-G malware is not something you want on your device.

What to do if you are an ADB user

As you can see, this malware depends on you having a weakly-protected Windows computer, and a developer-enabled Android device.

There's not much excuse for the former, but there are many good reasons, even for non-developers, for using the Android Debug Bridge.

So, if you have enabled, or intend to enable, ADB-based debugging, here are some precautions to take:

• Turn off the Android debugging option when you don't need it.

• Turn on the USB debugging notify option at all times:

• Avoid the Always allow from this computer option if you can, so you always get connection warnings:

• If you do enable Always allow, use the Revoke authorizations option when you are done with ADB:

• If you do enable Developer Options, turn them off when you no longer need them:

• Use the Security Advisor in Sophos Free Antivirus and Security for Android to watch out for risky system settings:

Where are those Developer Options, anyway?

We know what you're dying to ask now, namely, "How do I activate these Developer Options in the first place?"

Here's as much of a hint as we'll give you.

Go to About Tablet | Build number and...knock several times to enter.

, , , , , ,

You might like

8 Responses to Android banking malware with a twist in the delivery

  1. "With functionality to intercept your SMEes, amongst other malicious functionality" > SMSes, right?

  2. Anonymous · 81 days ago

    Very informative and useful. I'll make sure I turn off the debugging option when I dont need it. Thank you, Mr. Ducklin! :)

  3. John Lackey? Nice :)

    • Paul Ducklin · 80 days ago

      Tim Wakefield, I am told. (The image comes from the Wikipedia article on knuckleballs, linked to above.)

  4. Victor L-S · 80 days ago

    I'm running Android 4.4.2 as a development platform. Under developer options I have a setting "Verify apps over USB". Is this unique to this version as I don't see it mentioned here. In addition I have SOPHOS installed.

    • Paul Ducklin · 79 days ago

      I didn't mention it - perhaps I should have - because I thought it more important to focus on how to have ADB enabled but to *prevent* apps being copied to the device without you being aware.

      The "Verify over USB" option, if your Android version has it, and Sophos Anti-Virus, will check out apps installed over ADB before they first run. So if this malware were to try to infect a Sophos-protected phone, it would indeed be blocked, whether you installed it from a third-party app market or via USB.

  5. ChiJoan · 79 days ago

    Is this the same way we can load in a Linux OS on our Android devices via USB or flash RAM, if we desire? Also, is it safer to use a Linux installed OS with our Android devices? After all there is less malware for the Linux OS, right?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog