What was once a low-threat, basic spyware trojan has evolved into very powerful banking malware capable of giving hackers near-total control over one's Android device, warned Kaspersky Lab in a news statement and blog post yesterday.
In late 2015, Kaspersky began detecting a sudden surge in infection attempts using this rapidly metamorphosing malware—dubbed Asacub—identifying over 37,000 attacks against online bankers, including 6,500 in Asacub's first week of activity.
But even calling Asacub a banking trojan is understating the scope of the threat. In reality, it has developed into a comprehensive hacking toolset that grants perpetrators remote access to steal data (potentially for theft of funds or blackmail purposes), operate phone functions, redirect calls and install additional malware. For this reason, Kaspersky in its blog post has already called Asacub “one of the most notorious mobile threats in 2016.”
“For us it is the first time we were able to track the evolution of a malware with this level of precision, due to the fact that the author of malware didn't care a lot about the secrecy of his development process and tested a lot of versions in the wild,” explained Roman Unuchek, senior malware analyst at Kaspersky Lab, told SCMagazine.com.
So far targeting banking customers in the U.S., Russia and Ukraine, the attacks stem from a command-and-control center whose domain is registered to same person or group that also owns domains associated with a Windows-based spyware program called CoreBot. Unuchek told SCMagazine.com that the attackers are using SMS (text message) spam and phishing to “force a user to install this Trojan. In most cases it looks like an app to view images or MMS.”
Kaspersky reported that when it was initially discovered in June 2015, Asacub appeared to be a run-of-the-mill malware program capable of sending SMS messages, as well as uploading browser histories, contacts and lists of downloaded apps onto a malicious server. In July more functionality was added, including intercepting and deleting SMS messages, uploading SMS histories and, most notably, creating a virtual backdoor that allows hackers to execute commands on a device.
By September 2015, the malware was modified yet again to employ phishing screens that mimic mobile banking apps, with the intention of tricking users into inputting their banking credentials for hackers to steal.
The malware's author has also added functionality that enables hackers to take photos, access a device's GPS coordinates, reroute user-made calls to specified numbers and send USSD messages to communicate in real time with a phone's service provider. Generally, USSD requests enable WAP browsing, prepaid callback services, mobile-money services, location-based content services and more.
“Some banks call a user to tell them a temporary password for the transaction. So this malware can redirect such calls using USSD requests,” said Unuchek. “Some banks also allow users to use USSD to transfer money from one account to another. Also, they can use USSD to check the balance of the phone account to find out how much money they can steal by Premium SMS.”
Kaspersky also warned that Asacub grants hackers the ability to install even more malicious code, possibly including ransomware.