The Trojan family dubbed SlemBunk that is targeting Android-based worldwide banking app users has been observed masquerading as the legitimate apps of financial institutions in North America, Europe and Asia Pacific, according to a FireEye blog post.
Because the Trojan family has not yet been observed on Google Play, victims become infected when the malware is sideloaded or downloaded from malicious websites. Researchers at FireEye have spotted later iterations of SlemBunk being distributed through porn sites when potential victims are asked to download an update to Adobe Flash.
SlemBunk pushes a fake login interface when the app is running in the foreground in an effort to phish for authentication credentials, which is the malware's main objective.
The post said the apps “stay incognito after running for the first time,” where it monitors active running processes. SlemBunk can detect when certain legitimate apps are launched and then displays “corresponding fake login interfaces.” From there it hijacks credentials then transmits them as well as device information to a remote C&C server. It uses administrator privilege to persist on the device.
At the time the FireEye researchers penned the blog, a “set of the control servers gathering gleaned credentials was still live and active,” according to email correspondence sent to SCMagazine.com.
“The rise and evolution
of the SlemBunk trojan clearly indicate that mobile malware has become more sophisticated and targeted, and involved more organized efforts,” the blog post said. “We have already seen crackdowns on malware campaigns targeting mobile banking users, but we do not expect this type of activity to go away anytime soon."