[ERROR]
  • Dr.Web
  • Dla Domu
  • Dla Firm
  • Dr.Web AV-Desk
  • eStore
  • Pobierz
  • Wsparcie
  • Partnerzy
  • Kontakt
  • PL
    • RU
    • EN
    • ES
    • FR
    • DE
    • UA
    • PL
    • CN
    • JP


  • Send suspicious file
  • Online scanner
  • Cure for free
  • Dr.Web virus database
  • Extended database
Virus library
  • Virus library
  • Virus reviews
  • Virus alerts
Knowledge database
  • Myths about Dr.Web
  • Dr.Web classification of viruses
  • Types of viruses
  • Malicious programs
  • Unwanted programs
  • Glossary

Last updated: 2018-04-24 13:05:08 MSK

Top virus chart

Adware.StartPage.421.39%
JS.BtcMine.361.18%
Adware.OpenCandy.1521.18%
Trojan.DownLoader25.181011.07%
Trojan.Encoder.114320.75%
Search in virus database

Dr.Web Rescue Pack

Android.BankBot.358.origin

Added to Dr.Web virus database:2018-04-05
Virus description was added:2018-04-05
  • SHA1 packed: 4ad9a7f3a1d9e2549624c41e9a632d63a4e4b44e (Android.BankBot.250)
  • SHA1 unpacked: a8b6f23d881bd30383ca31a8ae1175ee70b9e4be

A banking Trojan for Android mobile devices. It is designed to steal money from Sberbank’s Russian-speaking clients. It is distributed via fraudulent text messages that invite the potential victims to follow the link and supposedly become familiar with the reply to the posted ad or with the information on a loan or a money transfer. Android.BankBot.358.origin is installed on smartphones and tablets as programs of Avito, Visa, Western Union and other popular applications.

screenshot Android.BankBot.358.origin #drweb screenshot Android.BankBot.358.origin #drweb

When launched, the Trojan attempts to get administrative privileges of the mobile device. For this purpose, it displays a dialog in an infinite loop and forces user to provide the required privileges. Then Android.BankBot.358.origin displays a fake message about an installation error and deletes its icon from the list of programs on the home screen, thus hiding its presence in the system.

screenshot Android.BankBot.358.origin #drweb

If an owner of an infected smartphone or tablet tries to recall administrator privileges from the Trojan, Android.BankBot.358.origin prevents it by closing the settings window. Some Trojan modifications also install their own lock screen PIN codes.

Control of the infected devices is implemented via HTTP and GCM (Google Cloud Messaging). It is performed in the administration panel.

After a successful infection, Android.BankBot.358.origin sends to the command and control server a request register that contains the following information about a device:

json.put("sid", this.api_panel_id);
json.put("imei", this.getIMEI());
json.put("country", this.getCountry());
json.put("operator", this.getOperator());
json.put("phone", this.getPhone());
json.put("model", this.getModel());
json.put("version", this.getVersion());
json.put("application", this.context.getResources().getString(2131165185));
json.put("build", this.app_build);
json.put("process_list", process_list);
json.put("apps_list", apps_list);
json.put("method", "register");

The Trojan can execute the following commands:

  • register_ok – receive interception templates for text messages and settings for blocking a screen with phishing windows;
  • GCM_register_ok – confirmation of a successful sending of Google Cloud Message Key to the administration panel;
  • START – launch the Trojan service;
  • STOP – stop the Trojan service;
  • RESTART – restart the Trojan service;
  • URL – change the address of the command and control server;
  • UPDATE_PATTERNS – update all data;
  • UNBLOCK – recall the Trojan’s administrator rights;
  • UPDATE – update the Trojan;
  • CONTACTS – send SMS messages to all contact list numbers;
  • CONTACTS_PRO – send SMS messages to all numbers specified in the command;
  • PAGE – load a webpage with an address specified in the command;
  • ALLMSG – send to the server all saved SMS messages from the device;
  • ALLCONTACTS – obtain information on contacts from the contact list;
  • ONLINE – check the Trojan’s status;
  • NEWMSG – create a fake incoming SMS;
  • CHANGE_GCM_ID – change GCM ID;
  • BLOCKER_BANKING_START – block device’s screen with a fake mobile banking window;
  • BLOCKER_EXTORTIONIST_START – block device’s screen with a ransom demand;
  • BLOCKER_UPDATE_START – block device’s screen with a fake message about system update installation;
  • BLOCKER_STOP – close a screen blocking message.

Depending on the response received from the server, the Trojan makes one of the following requests:

  • "method", "message" – send an SMS from the Trojan’s SQLite database;
  • "method", "gcm_register" – send a registry id GCM to the server;
  • "method", "repeat" – a periodic check for new tasks;
  • "method", "command_receive" – confirmation that a task has been received;
  • "method", "save_contacts_list" – sending of information on contacts from the contact list;
  • "method", "get_message_list" – request for a text of a message for mailing to contacts from the contact list;
  • "method", "save_message_history" – forward all SMS messages saved on a device to the command and control server;

Each request is first encoded with Base64, then it is encrypted with the AES key and converted using the bytes to hex method. The obtained string is sent to the command and control server, which responds the same way with a string with the command. Additionally, the end path for connection with the server is generated randomly or the DynamicSubDomain method is used.

screenshot Android.BankBot.358.origin #drweb

The data obtained by the Trojan and also device information are encrypted and stored in the local SQLite database. It has the following structure:

  • init_imei;
  • api_url;
  • gcm;
  • first_start;
  • init_bootable;
  • patterns;
  • blocker_banking;
  • blocker_banking_autolock;
  • blocker_extortionist;
  • blocker_extortionist_autolock;
  • cardSuccess
  • blocker_banking_success;
  • immunity.

The main goal of Android.BankBot.358.origin is stealing money from the Sberbank’s clients. Cybercriminals send the Trojan a command to block an infected device with a phishing window. It imitates the appearance of Sberbank Online, the remote banking and payment system, and is displayed to all users no matter whether they are Sberbank or another financial organization’s clients. The user is offered to receive a money transfer the sum of which cybercriminals set via the administration panel. To receive the money, the user is invited to provide bank card information: its number, holder’s name, expiration date, and the CVV code. The fraudulent message cannot be closed, so a potential victim is actually forced to provide cybercriminals with the secret information.

screenshot Android.BankBot.358.origin #drweb

If a user uses the Mobile banking service, Android.BankBot.358.origin tries to use it to steal money from the victim’s account. The Trojan sends SMS messages with commands to perform operations in the online banking system. It checks the current balance of the Android device owner’s card and automatically transfers money to the cybercriminals’ bank account, or to their mobile account.

Some versions of Android.BankBot.358.origin can block an infected device with a ransom message demanding that the victim pay a fine for watching prohibited videos. In order to hide their malicious activity, various Trojan’s modifications can also block the screen with a notification that some system update was installed.

News about the Trojan

 

KUP u naszych partnerów | online
Firma | Wiadomości&Wydarzenia | Wyślij wirusa | Prześlij złośliwy URL | Skaner on-line | Polityka prywatności | Mapa strony
[Blog Dr.Web] [You Tube] [Twitter] [Facebook] [Instagram]
Dr.Web
© Doctor Web
2003 — 2018
Doctor Web to rosyjski producent oprogramowania antywirusowego Dr.Web. Rozwijamy nasze produkty od 1992 roku. Firma jest głównym graczem na rosyjskim rynku oprogramowania budującego podstawową potrzebę każdej firmy - bezpieczeństwo informacji. Doctor Web jest jednym z kilku producentów oprogramowania antywirusowego na świecie posiadających swoją własną technologię wykrywania i leczenia złośliwych programów. Nasze systemy ochrony antywirusowej zapewniają systemom informacyjnym naszych klientów ochronę przed wszystkimi zagrożeniami, nawet tymi wciąż niewykrytymi. Doctor Web był pierwszą firmą oferującą usługę ochrony antywirusowej i, po dzień dzisiejszy, wciąż pozostaje bezdyskusyjnym liderem rosyjskiego rynku usług zabezpieczeń sieci Internet dla dostawców usług internetowych. Doctor Web otrzymał wiele certyfikatów państwowych i nagród; nasi zadowoleni klienci zlokalizowani na całym świecie są wyraźnym dowodem wysokiej jakości produktów stworzonych przez utalentowanych rosyjskich programistów.


www.drweb-av.pl | estore.drweb-av.pl | curenet.drweb-av.pl | www.av-desk.com | free.drweb-av.pl