Connect with us

Hi, what are you looking for?

Technology

Android malware BrazKing returns as a stealthier banking trojan


Android trojan

​The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions.

A new malware sample was analyzed by IBM Trusteer researchers who found it outside the Play Store, on sites where people end up after receiving smishing (SMS) messages.

These HTTPS sites warn the prospective victim that they are using an outdated Android version and offer an APK that will allegedly update them to the latest version.

Warning message urging users to click
Warning message urging users to click
Source: IBM

Only asking for a single permission

If the user approves “downloads from unknown sources,” the malware is dropped on the device and requests access to the ‘Accessibility Service’.

This permission is abused to capture screenshots and keystrokes without requesting any additional permissions that would risk raising suspicions.

More specifically, the accessibility service is used by BrazKing for the following malicious activity:

  • Dissect the screen programmatically instead of taking screenshots in picture format. This can be done programmatically but on a non-rooted device that would require the explicit approval of the user.
  • Keylogger capabilities by reading the views on the screen.
  • RAT capabilities—BrazKing can manipulate the target banking application by tapping buttons or keying text in.
  • Read SMS without the ‘android.permission.READ_SMS’ permission by reading text messages that appear on the screen. This can give actors access to 2FA codes.
  • Read contact lists without ‘android.permission.READ_CONTACTS’ permission by reading the contacts on the “Contacts” screen.

Starting on Android 11, Google has categorized the list of installed apps as sensitive information, so any malware that attempts to fetch it is flagged by Play Protect as malicious.

This is a new problem for all banking overlaying trojans that need to determine which bank apps are installed on the infected device to serve matching login screens.

BrazKing no longer uses the ‘getinstalledpackages’ API request as it used to but instead uses the screen dissection feature to view what apps are installed on the infected device.

Advertisement. Scroll to continue reading.

When it comes to overlaying, BrazKing now does it without the ‘System_Alert_Window’ permission, so it can’t overlay a fake screen on top of the original app as other trojans do.

Instead, it loads the fake screen as an URL from the attacker’s server in a webview window, added from within the accessibility service. This covers the app and all its windows but doesn’t force an exit from it.

Overlaying through the Accessibility service
Overlaying through the Accessibility service
Source: IBM

When detecting the login to an online bank, instead of displaying built-in overlays, the malware will now connect to the command and control server to receive the correct login overlay to display.

This dynamic overlay system makes it easier for the threat actors to steal credentials for a broader range of banks. Serving the overlays from the attacker’s servers also allows them to update the login screens as necessary to coincide with changes on the legitimate banking apps or sites or add support for new banks.

Obfuscation and resistance to deletion

The new version of BrazKing protects internal resources by applying an XOR operation using a hardcoded key and then also encodes them with Base64.

Analysts can quickly reverse these steps, but they still help the malware go unnoticed when nested in the victim’s device.

Obfuscation BrazKing strings
Obfuscation BrazKing strings
Source: IBM

If the user attempts to delete the malware, it quickly taps on the ‘Back’ or ‘Home’ buttons to prevent the action.

The same trick is used when the user tries to open an antivirus app, hoping to scan and remove the malware within the security tool.

BrazKing’s evolution shows that malware authors quickly adapt to deliver stealthier versions of their tools as Android’s security tightens up.

The ability to snatch 2FA codes, credentials, and take screenshots without hoarding permissions makes the trojan a lot more potent than it used to be, so be very careful with APK downloads outside the Play Store.

According to the IBM report, BrazKing appears to be operated by local threat groups, as it is circulating on Portuguese-speaking websites.

Advertisement. Scroll to continue reading.



Source link

Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Advertisement

Latest

Technology

​The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky...

Top Stories

This weekly roundup of news from Mainland China, Taiwan, and Hong Kong attempts to curate the industry’s most important news, including influential projects, changes...

Online Business Success

A representation of the virtual cryptocurrency Bitcoin is seen in this picture illustration taken October 19, 2021. — Reuters/File Reserve Bank of India’s digital...

Top Stories

The price of Bitcoin (BTC) dropped to fresh lows on Nov. 18, and the brief visit to the $56,000 level resulted in a sharp...

Social Media

What’s coming for social media marketing in the year ahead? It’s never easy to predict, and the disruption over the past two years has...

Top Stories

Five to six-figure-size airdrops have become the new norm in the crypto sector and a growing number of analysts believe there are more to...

Top Stories

North Dakota’s City of Williston continues its exploration and adoption of the cryptocurrency industry with the installation of a crypto automated teller machine (ATM)...

Technology

Source: Rebecca Spear / iMore Three things in life are certain: death, taxes, and new Pokémon gaming content releasing in November. We all know...

Advertisement

You May Also Like

Blogging

In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...

Advertisement