A newly discovered mobile malware program that primarily targets Russian banking customers can take over victims’ SMS capabilities, allowing cybercriminals to intercept text messages that contain bank security codes, and then use those codes to reset bank account passwords.
Spotted by Trend Micro researchers, the malware, dubbed FakeBank, was observed posing as a series of supposed SMS/MMS management software applications. But ironically, “these advertised SMS management capabilities are turned against the victim. The malware intercepts SMS in a scheme to steal funds from infected users through their mobile banking systems,” explains Trend Micro in a Jan. 10 blog post detailing the threat.
Among FakeBank’s targets are customers of Russian financial institutions Sberbank, Leto Bank, and VTB24 Bank, although a smaller number of samples were also detected in China (17 percent of samples), Ukraine (2%), Romania (1%), Germany (1%), and other nations.
Trend Micro further reports that FakeBank, once enacted on a mobile device, replaces the default SMS management program with its own and then hides its icon to hamper efforts to interfere with its malicious operations. At this point, the mobile malware can upload and analyze any received SMS message and delete them locally, including those banks send with sensitive account information and security codes. The malware can also call an assigned phone number, send an SMS, and steal call logs and contact lists.
Additionally, Trend Micro found that FakeBank steals data including user phone numbers, installed banking apps, balances on linked bank cards, and location information, and transmits that information to a command-and-control server.
To prevent victims from uninstalling the app, Fake Bank prevents users from opening device settings. The malware also impedes victims from opening the targeted bank’s legitimate app, thereby stopping users from modifying links between their bank card numbers and phone numbers.
FakeBank also hides its payload three layers of obfuscation, and evades detection by exiting a device if it detects anti-virus software.
According to Trend Micro, most of FakeBank’s C&C domains have IP addresses located in Poland’s Warmia-Masuria province and Russia, and most are registered by a company that has previously been connected to other fraudulent domains. A link published within the Trend Micro blog post suggests that this company is Wuxi Yilian LLC.