| Researchers May 16, 2016


May 16, 2016

The house always wins: Takedown of a banking trojan in Google Play

By Christoph Hebeisen, Pat Ford

Screen Shot 2016-04-25 at 8.03.58 AM
You always take your chances when you gamble, but with this Android malware, the odds are very much against you.
Lookout recently identified an app called “Black Jack Free” in the Google Play store, which turned out to be a variant of the malware family Acecard. The app has since been removed from the store. Because we previously issued coverage for this malware family months ago, all Lookout customers — individuals and enterprises — are safe. Non-Lookout customers who downloaded Black Jack Free (com.bjack.free) should immediately remove the app from their device and change the passwords to their sensitive accounts. This malware also attempts to download and install a secondary app called Play Store Update (cosmetiq.fl). This app should also be removed.
Not as Free as it Seems
Black Jack Free lets people play poker for free, using only virtual money, but they are likely to lose something much more important by installing this game: funds from their real-life bank account. How? Apps from this malware family silently download a secondary app that displays overlay windows over legitimate banking apps and some other popular apps such as Facebook and Skype to trick people into entering their online banking credentials and credit card information. A chance of being defrauded of real money is not the kind of gamble people want to take when downloading apps from a reputable source such as Google Play.
Screen Shot 2016-05-16 at 10.51.39 AM
In addition to stealing online banking credentials and credit card information, this app is also capable of intercepting SMS messages and forwarding them to a malware server, sending SMS messages while impersonating the owner of the device, forwarding phone calls, locking the device screen, and wiping all user data from the device.
The app had up to 5,000 downloads as of the time it was removed.
After we discovered the malicious app in Google Play, we promptly informed Google and the app was subsequently removed from the store four days after it initially appeared. This takedown helps protect the entire Android ecosystem, but the deck is clearly stacked in favor of Lookout customers.
Banking Trojans
As we reported in January, banking trojans, which target banking apps or other services with access to bank accounts and credit card numbers, are a growing issue. Marchcaban, a similar piece of mobile malware, targets PayPal customers in the same way. Once installed on a device, Marchaban scans the device for the PayPal app. If present, the malware will layer itself over the PayPal app user interface and collect any data a person enters into PayPal.
You can compare this kind of mobile malware with ATM skimmers — the devices criminals install over an ATM’s card reader in order to steal a person’s card information. It’s a layer of technology that siphons off data while the individual goes about their regular banking business.
Appendix:
SHA1 Hashes of the Malicious Apps
com.bjack.free (app dropper): c988061b38951da3739270215b6060ccaa068f9c cosmetiq.fl (payload): d5f684f957902d1367e390125fd2567879dbcccf

Author

Christoph Hebeisen,
Engineer Manager, Security R&R


Author

Pat Ford

Leave a comment

Submit


0 comments