BankBot, the Prequel

For us at FortiGuard, it always sounds like a bad idea for people to share malware source code,
even if it is for academic or educational purposes. For example, on GitHub we can currently find more than 300 distinct repositories of ransomware, which gives you some idea about the attention that this form of malware receives.

Although ransomware has the highest profile in the threat landscape at the moment, that does not mean that other threats have disappeared. Android is the most wide spread OS on mobile devices, covering around 80% of the market. So it does not surprise us that mobile malware is also on the rise, even if it isn’t getting the same attention.

Over the last few weeks, one specific banking malware targeted at the Android platform, known as BankBot, has been spreading significantly, even on a controlled and secured platform like Google Play. After some digging, we found out that this malware was developed on top on an existing malware that first surfaced in December 2016, which we call BankBotAlpha.

First appearance

BankBotAlpha was specifically designed for Android. It was first advertised back on December 19, 2016 on a Russian forum as a new initiative to build an Android banker from scratch, more or less like a DIY tutorial.

As the entire code of the Android application, as well as the complete C&C panel in PHP, is currently online and available for anyone to download, it did not take long for multiple variants to appear in the wild. In fact, the same thing happened when the source code of GMBot was leaked last year in February. Just like with Ransomware, there are always repercussions when malware code is shared publicly.

Figure 1: Russian version of the post advertising the new Android banker

Figure 2: English translation of the post advertising the new Android banker

As stated above, this post was shared in mid-December of last year. It was posted by a user named “maza-in,” who seems to have joined that forum in June 2013. He claims to be a skilled coder with more than 10 years of experience in the field.

Figure 3: maza-in profile from the forum

Figure 4: maza-in signature from the C&C panel

In spite of the claim that it was shared as a “tutorial,” and very well received by the community of that forum, we can definitely say that this malware was shared for malicious intent, in part because the antivirus cross-scanning result was also provided, and continues to be updated quite often within the thread.

Figure 5: Antivirus detection at the time BankBotAlpha was released

Variants proliferate quickly

The first version that hit our radars was detected on December 26, 2016. Other variants followed quickly, ultimately hitting Virus Total as of January 5, 2017. Currently, we have detected 141 variants under the internal package name “com.example.livemusay.myapplication”. For the end user, it will appear in different forms, often impersonating well-known application icons or names, as shown in Table 1, below.

Table 1: Some of the BankBotAlpha faces

Analysis

Once unzipped, the application is comprised of two packages: the first is the standard android.support package, while the second, and most interesting, is called “com.example.livemusay.myapplication”. This is where the real malicious code lies.

In this article, we are going to analyze the sample “fded59978a3f6ab2f3909d7c22f31dd001f54f6c1cafd389be9892f41b4a5976”.

Functionalities

We encountered this malware under a number of different aliases, but the most frequent one was “MMS Flash Player 11.” However, the permissions required by the APK are very suspicious for an application with such a name.

Figure 6: Permissions required by BankBotAlpha

Figure 7: Classes of BankBotAlpha

The first time it is run, the application asks the user to grant it device admin privileges.

Figure 8: Request for DevAdmin rights

After this action, the app hides itself from the main menu, and starts acting in the shadows.

The malware sets up a broadcast receiver for SMS in order to handle received messages and extract the information needed from them. Moreover, it is cautious enough to delete SMS from both the “inbox” and “sent” folders.

Figure 9: Parse and Delete sent SMS

Another precaution that the author of the malware took was making sure that the vibration and sound alarm for the phone is set to 0, which stands for RINGER_MODE_SILENT. This option is used both when communicating via SMS and when using calls to communicate using USSD codes.

Figure 10: Set the phone to Silent mode

The malware also has the capability of sending SMS, and uses this feature to communicate information about the corrupted device back to its CC. The malware collects information like IMEI, Bank applications present on the device, OS version, presence of root, etc.

Figure 11: retrieval of the IMEI

All the data collected, both about the device and about the banking apps on it, are sent to the CC. It can be relatively hard to find information about it, as culprits try to hide it (at least from a static point of view), so it is usually necessary to analyze the traffic generated by the application. Fortunately, the author of BankBotAlpha was kind enough to leave the information needed, graciously formatted in the class b.

Figure 12: networking Constants

The CC address is not the only hardcoded constant in the apk. While some other banking malware we have seen prefer to download the list of targeted banking applications from the CC to possibly avoid static analysis, BankBotAlpha hardcodes the list in its StartWhile class. Here is a screenshot, but you can also find the complete list at the end of this article.

Figure 13: Target Banking apps

Practical test

In order to test the malware, we decided to run one of the applications listed as targets. Our choice was the APK with package name “ua.privatbank.ap24”, which is the official application for PrivatBank, the largest commercial bank in Ukraine.

The source code comes out of the box with only two phishing templates.

The first is for PrivatBank (located on the CC at /inj/privatbank.php).

Figure 14: PrivatBank phishing page

The second is Visa QIWI Wallet, an e-wallet based on a Visa Prepaid Account, with over 11 million consumer accounts around the world. It was first established in Russia in April 2008.

Figure 15: VIsa QIWI Wallet (/inj/ru.mw.php) phishing page

Once the app is run, the malware takes control and becomes the main activity in the user’s screen, showing a phishing page like the one above, designed to look like the bank’s original page. The differences are not extremely hard to spot, but someone not being careful could be fooled. Once the user inputs their credentials, they are sent to the CC, where they are saved on a database.

The network capture shown in Figure 16 is related to sample “14a9da2c16c4714ebb5647ec5bd23a1de361b779d80f5e5f5350ea9b128f3c40”, as the CC for the original sample analyzed had been taken down at the time this article was written.

We then attempted to run other applications in the target list, but without much success. As stated previously, only two of them were working in our test cases (“ua.privatbank.ap24” and “ru.mw”). For the other cases, the malware simply records the fact that these banking apps are installed on the device and then sends the bank identifier information via SMS (look in annex, below, for the complete identifier list).

This is in line with the fact that the author shared this malware as some kind of tutorial. It includes two working injections, possibly presented as examples. However, it is just a matter of creating the right phishing pages for the other apps to be injectable (as has been done for the dozens of successive BankBot versions that can now be found in the wild.) The injection claims to work in versions up to Android 6.0 (Marshmallow).

The credentials are leaked using a standard HTTP POST request directly to the CC PHP script, located at /private/add_inj.php

Figure 16: Network Capture of the stolen credentials

The botherder also has an option for a global view of the bots through an online panel, shown below.

Each entry refers to an infected device, and has a status of either online, offline, or kill (most probably for cleaned devices.) The malicious apps send heartbeats every few seconds to update their status, allowing the panel to have a semi real-time and accurate view of the entire botnet.

This view not only provides details of the phones (OS version, model, IMEI), but also the operator (brand, country), as well as some operational information like accessing debug logs, date of infection, privilege access on the device, and stolen bank identifier.

The control panel is not only used to monitor the botnet, but can also be used to run some commands directly on the bots. According to the CC, there are currently four possible actions:

• Request root rights
• Send SMS
• USSD Request
• Request permission to read/send SMS (Android 6.0 or more)

We estimate that there are currently about 1000 infected devices, based on the number of CCs we found, and the average number of bot pages we saw on each CC. Most of these devices are located in Russia, but some are located in the US and China.

BankBot Alpha Vs  BankBot     

From our analysis of both BankBotAlpha and BankBot, it is very clear that the latter is a derivation of the former. The strings found in the samples are identical, the commands issued by the CC to the bot are the same, and even the typos and grammar errors made in the code are consistent. Many samples of BankBot even share part of the package name with BankBotAlpha (com.example.livemusay.*****)
However, BankBot packs more features than the alpha version, with AV detection, a higher number of banking apps controlled, messaging applications monitored,  sometimes even obfuscation.

These added functionalities are relatively easy to implement, and make it much easier to create a threatening banking malware.

Conclusion

The alpha application we analyzed here is not an extremely polished malware. However, it is a functioning and easy-to-improve starting point for people who want to create something actually dangerous. Its descendant, BankBot, has proven itself to be a real threat, and has even been found in the official Google Play Store.

So, be careful out there when you are installing applications on your device, even if they are from trusted application marketplaces, and always check the permissions required.

Fortinet detects this malware as “Android/Bankbot.AA!tr”.

FortiGuard Labs will follow up on this and keep you updated on this android banking malware.

-= FortiGuard Lion Team =-

ANNEX

File listing from the CC HTTP Root

|   .htaccess
|   header.php
|   index.php
|  
+—images
|   |   header.jpg
|   |   icon1.png
|   |   icon3.png
|   |  
|   +—country
|   |       ad.png
|   |       …
|   |       zm.png
|   |      
|   +—icons
|           bank_off.png
|           bank_on.png
|           boton-verde-oscuro-hi.png
|           fe.png
|           inj_off.png
|           inj_on.png
|           kill.png
|           log-512.png
|           log_off.png
|           log_on.png
|           offline.png
|           online.png
|           se.png
|           setting.png
|           se_.png
|           V.png
|           X.png
|          
+—inj
|   |   crypt.php
|   |   privatbank.php
|   |   ru.mw.php
|   |  
|   +—privatebank
|           1.png
|           2.png
|           3.png
|           4.png
|           bg.png
|           index.html
|           main.js
|           style.css
|          
+—js
|       custom.js
|       footable.js
|       footable.min.js
|       jquery-1.10.2.js
|       jquery-1.10.2.min.js
|       jquery-2.1.4.min.js
|       jquery.js
|       jquery.spincrement.js
|      
+—private
|   |   add_inj.php
|   |   add_log.php
|   |   commands.php
|   |   command_go_modul.php
|   |   config.php
|   |   crypt.php
|   |   kliets.php
|   |   set_data.php
|   |   tuk_tuk.php
|   |  
|   +—logs
+—styles
|       btn.css
|       index.css
|       login.css
|       modul_form.css
|       modul_form_log.css
|       modul_form_set.css
|       style.css

BankBotAlpha includes a static, embedded list of applications to target, as you can see in the Table 2, below. Most of them target Russian speakers.

Table 2: Targeted Android banking applications

IOC

CC domain list:

45.77.41.26

104.238.176.73

000001.mcdir.ru

111111111.mcdir.ru

12321a.mcdir.ru

217.23.12.146

22222.mcdir.ru

321123.mcdir.ru

a193698.mcdir.ru

a195501.mcdir.ru

adminko.mcdir.ru

atest.mcdir.ru

cclen25sm.mcdir.ru

probaand.mcdir.ru

firta.myjino.ru

firto.myjino.ru

ranito.myjino.ru

servot.myjino.ru

s.firta.myjino.ru

jekobtrast1t.ru

kinoprofi.hhos.ru

Hash list: