In their investigation of the botnet-forming Android banking malware that they discovered on Google Play, ESET researchers discovered that both the Android Trojans and the C&C server were built using source code that was made public in December, 2016.
Android users were exposed to malware disguised as weather forecasting apps, capable of stealing banking credentials and locking the screens of infected devices’. Two versions of the botnet-forming Trojan made it onto Google Play. Each had a lifetime of several days and together achieved thousands of downloads before being detected by ESET and taken down by the Google security team in mid February.
A thorough investigation by ESET analysts revealed that these banking Trojans are modified versions of a source code made available online. Allegedly written from scratch, the “template” code of the binary, along with the code of the command and control server, which includes a web control panel, have been available on Russian forums since late December 2016.
“On top of the source code being available to virtually anyone, the C&C server itself has also been left accessible to whomever has the URL, without requiring any credentials,” says ESET Malware reseracher Lukáš Štefanko.
Analysis of the C&C server, which has been active since February 2, 2017, has revealed a list of victims. By February 23, when the C&C server was taken down by the hosting company based on ESET’s notice, the botnet contained 2,810 victims from 48 countries.
The fact that the source code of another example of Android banking malware has been made available online may lead to its proliferation, according to ESET security experts. “With tools for creating Android banking malware now accessible more easily and for free, Android users should take even more care about prevention,” recommends Lukáš Štefanko.
Detailed analysis of this malware along with advice on prevention and cleaning can be found on ESET’s blog, WeLiveSecurity.com.
Anyone interested in mobile security is also welcome to stop by ESET’s stand at this year’s Mobile World Congress.