{"id":20156,"date":"2022-09-21T09:01:06","date_gmt":"2022-09-21T17:01:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/09\/21\/news-13889\/"},"modified":"2022-09-21T09:01:06","modified_gmt":"2022-09-21T17:01:06","slug":"news-13889","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/09\/21\/news-13889\/","title":{"rendered":"Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Wed, 21 Sep 2022 17:00:00 +0000<\/strong><\/p>\n<p>Our analysis of a recent version of a previously reported info-stealing Android malware, delivered through an ongoing SMS campaign, demonstrates the continuous evolution of mobile threats. Masquerading as a banking rewards app, this new version has additional remote access trojan (RAT) capabilities, is more obfuscated, and is currently being used to target customers of Indian banks. The SMS campaign sends out messages containing a link that points to the info-stealing Android malware. The malware\u2019s RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions. The malware\u2019s ability to steal all SMS messages is also concerning since the data stolen can be used to further steal users\u2019 sensitive info like 2FA messages for email accounts and other personally identifiable information (PII).<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"557\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig1b-Typical-SMS-campaign-attack-flow-1024x557.png\" alt=\"This diagram illustrates the typical infection chain of this Android malware. The infection starts from an SMS message that contains a malicious link that leads to the malicious APK.\" class=\"wp-image-122383\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig1b-Typical-SMS-campaign-attack-flow-1024x557.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig1b-Typical-SMS-campaign-attack-flow-300x163.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig1b-Typical-SMS-campaign-attack-flow-768x418.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig1b-Typical-SMS-campaign-attack-flow.png 1382w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Figure 1. Typical SMS campaign attack flow<\/em><\/figcaption><\/figure>\n<p>Our investigation of this new Android malware version started from our receipt of an SMS message containing a malicious link that led us to the download of a fake banking rewards app. The fake app, detected as TrojanSpy:AndroidOS\/Banker.O, used a different bank name and logo compared to a similar malware <a href=\"https:\/\/blog.cyble.com\/2021\/12\/27\/spyware-targeting-customers-of-top-indian-banks\/\">reported in 2021<\/a>. Moreover, we found that this fake app\u2019s command and control (C2) server is related to 75 other malicious APKs based on open-source intelligence. Some of the malicious APKs also use the same Indian bank\u2019s logo as the fake app that we investigated, which could indicate that the actors are continuously generating new versions to keep the campaign going.<\/p>\n<p>This blog details our analysis of the recent version\u2019s capabilities. We strongly advise users never to click on unknown links received in SMS messages, emails, or messaging apps. We also recommend seeking your bank\u2019s support or advice on digital options for your bank. Further, ensure that your banking apps are downloaded from official app stores to avoid installing malware.<\/p>\n<h2>Observed activity<\/h2>\n<h3>What the user sees<\/h3>\n<p>We have seen other campaigns targeting Indian banks\u2019 customers based on the following app names:<\/p>\n<ul>\n<li>Axisbank_rewards.apk<\/li>\n<li>Icici_points.apk<\/li>\n<li>Icici_rewards.apk<\/li>\n<li>SBI_rewards.apk<\/li>\n<\/ul>\n<p>Our investigation focused on <em>icici_rewards.apk <\/em>(package name:<em> com.example.test_app<\/em>), which presents itself as ICICI Rewards. The SMS campaign sends out messages containing a malicious link that leads to installing a malicious APK on a target\u2019s mobile device. To lure users into accessing the link, the SMS claims that the user is being notified to claim a reward from a known Indian bank.<\/p>\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig2-Text-message-with-malicious-link.jpg\" alt=\"Screenshot of the SMS message received. The message contains a link and mentions the name of a legitimate India-based bank.\" class=\"wp-image-122278\" width=\"446\" height=\"400\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig2-Text-message-with-malicious-link.jpg 891w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig2-Text-message-with-malicious-link-300x269.jpg 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig2-Text-message-with-malicious-link-768x689.jpg 768w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><figcaption><em>Figure 2. The text message with a malicious link sent to users<\/em><\/figcaption><\/figure>\n<p>Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"842\" height=\"737\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig3and4-Apll-installed-app-permissions.png\" alt=\"Screenshots of the fake app installed on the mobile device and where it states the Android permissions it needs to be enabled. The app uses an India-based bank's logo to appear legitimate.\" class=\"wp-image-122335\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig3and4-Apll-installed-app-permissions.png 842w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig3and4-Apll-installed-app-permissions-300x263.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig3and4-Apll-installed-app-permissions-768x672.png 768w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><figcaption><em>Figures 3 and 4. App installed on the Android device. The app asks users to enable permissions on text messaging and contacts, to name a few<\/em><\/figcaption><\/figure>\n<p>The fake app asks for credit card information upon being granted all permissions. This should raise users\u2019 suspicions on the app\u2019s motive as apps typically ask for sensitive information only through user-driven transactions like paying for purchases.<\/p>\n<p>The app displays another fake screen with further instructions to add to its legitimacy once users supply the information needed.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"842\" height=\"737\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig5and6-Fake-page-resulting-message.png\" alt=\"Screenshots of the fake app asking for the user's credit card information and message after user information has been supplied. The message adds to the fake app's supposed legitimacy.\" class=\"wp-image-122338\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig5and6-Fake-page-resulting-message.png 842w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig5and6-Fake-page-resulting-message-300x263.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig5and6-Fake-page-resulting-message-768x672.png 768w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><figcaption><em>Figures 5 and 6. A fake page where the app asks users to provide information, and the resulting message once data is added<\/em><\/figcaption><\/figure>\n<h3>What happens in the background<\/h3>\n<p>Analyzing the XML file <em>AndroidManifest<\/em> further identifies the entry points of the malware along with the permissions requested. It also defines services that can run in the background without user interaction. The app uses the following permissions:<\/p>\n<ul>\n<li><em>READ_PHONE_STATE<\/em><\/li>\n<li><em>ACCESS_NETWORK_STATE<\/em><\/li>\n<li><em>READ_SMS<\/em><\/li>\n<li><em>RECEIVE_SMS<\/em><\/li>\n<li><em>READ_CALL_LOG<\/em><\/li>\n<li><em>FOREGROUND_SERVICE<\/em><\/li>\n<li><em>MODIFY_AUDIO_SETTINGS<\/em><\/li>\n<li><em>READ_CONTACTS<\/em><\/li>\n<li><em>RECEIVE_BOOT_COMPLETED<\/em><em><\/em><\/li>\n<li><em>WAKE_LOCK<\/em><em><\/em><\/li>\n<\/ul>\n<p>The malware uses MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid functions to carry out most of its routines. These three functions interact to ensure all the malware\u2019s routines are up and running and allow the app to remain persistent on the mobile device.<\/p>\n<h4>MainActivity<\/h4>\n<p><em>MainActivity<\/em>, also called the launcher activity, is defined under <em>com.example.test_app.MainActivity. <\/em>It is launched first after installation to display the fake app\u2019s ICICI splash screen. This launcher activity then calls <em>OnCreate()<\/em> method to check the device\u2019s internet connectivity and record the timestamp of the malware\u2019s installation, and <em>Permission_Activity <\/em>to launch permission requests. Once the permissions are granted<em>,<\/em> <em>Permission_Activity<\/em> further calls <em>AutoStartService <\/em>and <em>login_kotak<\/em>.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"799\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig7-Actions-MainActivity-1024x799.png\" alt=\"Screenshot of the malware's code showing the actions covered under the MainActivity function.\" class=\"wp-image-122293\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig7-Actions-MainActivity-1024x799.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig7-Actions-MainActivity-300x234.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig7-Actions-MainActivity-768x599.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig7-Actions-MainActivity.png 1381w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Figure 7. Actions under MainActivity <\/em><\/figcaption><\/figure>\n<p>The class <em>login_kotak<\/em> is responsible for stealing the user\u2019s card information. It shows the fake credit card input page (Figure 5) and temporarily stores the information in the device while waiting for commands from the attacker.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"985\" height=\"763\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig8-login-kotak-class.png\" alt=\"Screenshot of the malware's code used to steal all information.\" class=\"wp-image-122296\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig8-login-kotak-class.png 985w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig8-login-kotak-class-300x232.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig8-login-kotak-class-768x595.png 768w\" sizes=\"auto, (max-width: 985px) 100vw, 985px\" \/><figcaption><em>Figure 8. &nbsp;login_kotak class steals card information and other personally identifiable information (PII)<\/em><\/figcaption><\/figure>\n<h4>AutoStartService<\/h4>\n<p><em>AutoStartService, <\/em>themain handler of the malware, functions based on the commands it receives. The handler provides the malware with the following capabilities:<\/p>\n<h4>Enforcing its RAT commands<\/h4>\n<p>This malware\u2019s new version adds several RAT capabilities that expands its information stealing. It enables the malware to add call log uploading, SMS message and calls interception, and card blocking checks.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1017\" height=\"1024\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig9-code-comnparison-2021-2022-1017x1024.png\" alt=\"Screenshots of codes comparing the malware samples as reported in 2021 and 2022. The 2022 sample has added commands compared to the 2021 sample.\" class=\"wp-image-122299\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig9-code-comnparison-2021-2022-1017x1024.png 1017w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig9-code-comnparison-2021-2022-298x300.png 298w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig9-code-comnparison-2021-2022-150x150.png 150w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig9-code-comnparison-2021-2022-768x773.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig9-code-comnparison-2021-2022-100x100.png 100w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig9-code-comnparison-2021-2022.png 1430w\" sizes=\"auto, (max-width: 1017px) 100vw, 1017px\" \/><figcaption><em>Figure 9. Code comparison of 2021 (left) and 2022 (right) samples<\/em><\/figcaption><\/figure>\n<p>These commands are described below.<\/p>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td>Command Name<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr>\n<td>all_sms_received<\/td>\n<td>Flags to enable\/disable SMS upload<\/td>\n<\/tr>\n<tr>\n<td>all_call_received<\/td>\n<td>Flags to enable\/disable call log upload<\/td>\n<\/tr>\n<tr>\n<td>silent<\/td>\n<td>Put the mobile device on silent<\/td>\n<\/tr>\n<tr>\n<td>block<\/td>\n<td>Checks if the user\u2019s card is blocked<\/td>\n<\/tr>\n<tr>\n<td>sms_filter<\/td>\n<td>Filters SMS based on strings (defaults to \u201cICICI\u201d)<\/td>\n<\/tr>\n<tr>\n<td>online<\/td>\n<td>Checks if the user has an active internet connection<\/td>\n<\/tr>\n<tr>\n<td>force_online<\/td>\n<td>Uploads received SMS messages to the C2 server<\/td>\n<\/tr>\n<tr>\n<td>is_online<\/td>\n<td>Checks if the device is connected to the C2 server<\/td>\n<\/tr>\n<tr>\n<td>force_calls<\/td>\n<td>Uploads call logs to the C2 server<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The <em>silent <\/em>command, which the malware uses to keep the remote attacker\u2019s SMS sending activities undetected, stands out from the list of commands. Many banking apps require two-factor authentication (2FA), often sent through SMS messages. This malware enabling an infected device\u2019s silent mode allows attackers to catch 2FA messages undetected, further facilitating information theft.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"515\" height=\"387\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig10-silent-mode.png\" alt=\"Screenshot of the code where the malware turns on the mobile device's silent mode.\" class=\"wp-image-122302\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig10-silent-mode.png 515w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig10-silent-mode-300x225.png 300w\" sizes=\"auto, (max-width: 515px) 100vw, 515px\" \/><figcaption><em>Figure 10. This code is responsible for turning the mobile device\u2019s silent mode on<\/em><\/figcaption><\/figure>\n<h4>Encryption and decryption of SMS messages<\/h4>\n<p>In addition to encrypting all data it sends to the attacker, the malware also encrypts the SMS commands it receives from the attacker. The malware decrypts the commands through its decryption and decoding modules. The malware uses a combination of Base64 encoding\/decoding and AES encryption\/decryption methods.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"622\" height=\"282\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig11-Encoding-decoding-modules.png\" alt=\"This screenshot shows the AES and Base64 encryption and decryption modules within the malware's code.\" class=\"wp-image-122305\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig11-Encoding-decoding-modules.png 622w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig11-Encoding-decoding-modules-300x136.png 300w\" sizes=\"auto, (max-width: 622px) 100vw, 622px\" \/><figcaption><em>Figure 11. The malware\u2019s encoding and decoding modules, as seen in its code<\/em><\/figcaption><\/figure>\n<h4>Stealing SMS messages<\/h4>\n<p>The malware steals all SMS messages from the mobile device\u2019s inbox. It collects all received, sent, read, and even unread messages. Collecting all SMS messages might allow attackers to use the data to expand their stealing range, especially if any messages contain other sensitive information such as SMS-based 2FA for email accounts, one\u2019s personal identification like the Aadhar card commonly used in India, or other financial-related information.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"680\" height=\"245\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig12-Code-for-stealing.png\" alt=\"Screenshot of the malware's code used to steal all SMS messages.\" class=\"wp-image-122308\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig12-Code-for-stealing.png 680w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig12-Code-for-stealing-300x108.png 300w\" sizes=\"auto, (max-width: 680px) 100vw, 680px\" \/><figcaption><em>Figure 12. Code used to steal all SMS messages<\/em><\/figcaption><\/figure>\n<h4>Uploading all call logs<\/h4>\n<p>The malware also uploads call logs stored on the mobile device. This data may be used for the attacker\u2019s surveillance purposes.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"608\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig13-code-stealing-call-logs-1024x608.png\" alt=\"Screenshot of the malware's code that steals all call logs.\" class=\"wp-image-122311\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig13-code-stealing-call-logs-1024x608.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig13-code-stealing-call-logs-300x178.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig13-code-stealing-call-logs-768x456.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig13-code-stealing-call-logs-440x260.png 440w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig13-code-stealing-call-logs.png 1463w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Figure 13. The malware code for stealing call logs<\/em><\/figcaption><\/figure>\n<h4>Communicating with its C2<\/h4>\n<p>This malware uses the open-source library <a href=\"https:\/\/socket.io\/\">socket.io<\/a> to communicate with its C2 server.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"561\" height=\"194\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig14-C2-server-connection.png\" alt=\"Screenshot of the code showing the malware's C2 server connection.\" class=\"wp-image-122314\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig14-C2-server-connection.png 561w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig14-C2-server-connection-300x104.png 300w\" sizes=\"auto, (max-width: 561px) 100vw, 561px\" \/><figcaption><em>Figure 14. Code showing the malware\u2019s C2 server connection<\/em><\/figcaption><\/figure>\n<h3>RestartBroadCastReceiver<\/h3>\n<p>The malware also uses the Android component <em>RestartBroadcastReceive<\/em>r, which functions based on the type of events received by the mobile device. This receiver launches a job scheduler named <em>JobService, <\/em>which eventually calls <em>AutoStartService<\/em> in the background. The receiver reacts when the device is restarted, if the device is connected to or disconnected from charging, when the device\u2019s battery status changes, and changes in the device\u2019s Wi-Fi state<em>.<\/em> &nbsp;<em>RestartBroadcastReceiver<\/em> ensures that the main command handler <em>AutoStartService<\/em> is always up and running.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"515\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig15-Receiver-AutoStartService-1024x515.png\" alt=\"Screenshot of the malware's action using the AutoStartService functions.\" class=\"wp-image-122317\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig15-Receiver-AutoStartService-1024x515.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig15-Receiver-AutoStartService-300x151.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig15-Receiver-AutoStartService-768x386.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/09\/Fig15-Receiver-AutoStartService.png 1437w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Figure 15. How the Receiver starts AutoStartService<\/em><\/figcaption><\/figure>\n<h2>Mitigating the fake app\u2019s unwanted extras<\/h2>\n<p>This malware\u2019s continuing evolution highlights the need to protect mobile devices. Its wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user\u2019s other banking apps. Its ability to intercept one-time passwords (OTPs) sent over SMS thwarts the protections provided by banks\u2019 two-factor authentication mechanisms, which users and institutions rely on to keep their transactions safe. Its use of various banking and financial organizations\u2019 logos could also attract more targets in the future.<\/p>\n<p>App installation on Android is relatively easy due to the operating system\u2019s open nature. However, this openness is often abused by attackers for their gain. Apart from exercising utmost care when clicking on links in messages and installing apps, we recommend that users follow these steps to protect their devices from fake apps and malware:<\/p>\n<ul>\n<li>Download and install applications only from official app stores.<\/li>\n<li>Android device users can keep the <em>Unknown sources<\/em> option disabled to stop app installation from unknown sources.<\/li>\n<li>Use mobile solutions such as <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/microsoft-defender-endpoint-android\">Microsoft Defender for Endpoint on Android<\/a> to detect malicious applications.<\/li>\n<\/ul>\n<h2>Appendix<\/h2>\n<h3>Indicators of Compromise<\/h3>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Indicator<\/strong><strong><\/strong><\/td>\n<td><strong>Type<\/strong><strong><\/strong><\/td>\n<td><strong>Description<\/strong><strong><\/strong><\/td>\n<\/tr>\n<tr>\n<td>734048bfa55f48a05326dc01295617d932954c02527b8cb0c446234e1a2ac0f7<\/td>\n<td>SHA-256<\/td>\n<td>icici_rewards.apk<\/td>\n<\/tr>\n<tr>\n<td>da4e28acdadfa2924ae0001d9cfbec8c8cc8fd2480236b0da6e9bc7509c921bd &nbsp;<\/td>\n<td>SHA-256<\/td>\n<td>icici_rewards.apk<\/td>\n<\/tr>\n<tr>\n<td>65d5dea69a514bfc17cba435eccfc3028ff64923fbc825ff8411ed69b9137070 &nbsp;<\/td>\n<td>SHA-256<\/td>\n<td>icici_rewards.apk<\/td>\n<\/tr>\n<tr>\n<td>3efd7a760a17366693a987548e799b29a3a4bdd42bfc8aa0ff45ac560a67e963 &nbsp;<\/td>\n<td>SHA-256<\/td>\n<td>icici_rewards.apk<\/td>\n<\/tr>\n<tr>\n<td>hxxps:\/\/server4554ic[.]herokuapp[.]com\/<\/td>\n<td>URL<\/td>\n<td>C2 server<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3>MITRE ATT&amp;CK Techniques<\/h3>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Execution<\/strong><strong><\/strong><\/td>\n<td><strong>Persistence<\/strong><strong><\/strong><\/td>\n<td><strong>Defense Evasion<\/strong><strong><\/strong><\/td>\n<td><strong>Credential Access<\/strong><strong><\/strong><\/td>\n<td><strong>Collection<\/strong><strong><\/strong><\/td>\n<td><strong>Command &amp; Control<\/strong><strong><\/strong><\/td>\n<td><strong>Exfiltration<\/strong><strong><\/strong><\/td>\n<td><strong>Impact<\/strong><strong><\/strong><\/td>\n<\/tr>\n<tr>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1603\">T1603 Scheduled<br \/>Task\/Job<\/a><\/td>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1624\">T1624 Event Triggered Execution<\/a><\/td>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1406\">T1406 Obfuscated files\/information<\/a><\/td>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1417\">T1417 Input capture<\/a><\/td>\n<td>T1417 Input capture<\/td>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1437\">T1437 Application Layer Protocol<\/a><\/td>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1646\">T1646 Exfiltration Over C2 Channel<\/a><\/td>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1582\">T1582 SMS Control<\/a><\/td>\n<\/tr>\n<tr>\n<td>&nbsp;<\/td>\n<td>T1603 Scheduled Task\/Job &nbsp;<\/td>\n<td>&nbsp;<\/td>\n<td><\/td>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1636\">T1636 Protected User Data<\/a><\/td>\n<td><a href=\"http:\/\/attack.mitre.org\/techniques\/T1521\">T1521 Encrypted Channel<\/a><\/td>\n<td>&nbsp;<\/td>\n<td>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><em><strong>Shivang Desai<\/strong>, <strong>Abhishek Pustakala<\/strong>, and <strong>Harshita Tripathi<\/strong><br \/>Microsoft 365 Defender Research Team<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/09\/21\/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices\/\">Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/09\/21\/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Wed, 21 Sep 2022 17:00:00 +0000<\/strong><\/p>\n<p>A fake mobile banking rewards app delivered through a link in an SMS campaign has been making the rounds, targeting customers of Indian banking institutions. Users who install the mobile app are unknowingly installing an Android malware with remote access trojan (RAT) capabilities. <\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/09\/21\/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices\/\">Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[4500],"class_list":["post-20156","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20156"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20156\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}